{ config, pkgs, lib, ... }:
let
    cfg = config.services.hedgedoc.settings;
    domain = "md.feal.no";
    port = 3300;
    host = "0.0.0.0";
    authServerUrl = config.services.kanidm.serverSettings.origin;
in {
    # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
    sops.secrets."hedgedoc/env" = {
      restartUnits = [ "hedgedoc.service" ];
    };

    services.hedgedoc = {
        enable = true;
        environmentFile = config.sops.secrets."hedgedoc/env".path;
        settings = {
            inherit domain port host;
            protocolUseSSL = true;
            sessionSecret = "$CMD_SESSION_SECRET";

            allowFreeURL = true;
            allowAnonymous = false;
            allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission

            dbURL = "postgres://hedgedoc:@localhost/hedgedoc";

            email = false;
            oauth2 = {
              baseURL = "${authServerUrl}/oauth2";
              tokenURL = "${authServerUrl}/oauth2/token";
              authorizationURL = "${authServerUrl}/ui/oauth2";
              userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";

              clientID = "hedgedoc";
              clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
              scope = "openid email profile";
              userProfileUsernameAttr = "name";
              userProfileEmailAttr = "email";
              userProfileDisplayNameAttr = "displayname";

              providerName = "KaniDM";
            };

        };
    };

    systemd.services.hedgedoc.serviceConfig = {
      WorkingDirectory = lib.mkForce "/var/lib/hedgedoc";
      StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
    };

    networking.firewall.allowedTCPPorts = [ port ];

    services.postgresql = {
      ensureDatabases = [ "hedgedoc" ];
      ensureUsers = [{
        name = "hedgedoc";
        ensurePermissions = {
          "DATABASE \"hedgedoc\"" = "ALL PRIVILEGES";
        };
      }];
    };

}