{ config, pkgs, lib, mkDomain, ... }:
{
    # hedgedoc
    # Realtime collaborative markdown notes on all platforms

    sops.secrets."hedgedoc/htpasswd".owner = config.services.nginx.user;
    sops.secrets."hedgedoc/env-file".owner = "hedgedoc";
    sops.secrets."hedgedoc/env-file".restartUnits = [ "hedgedoc.service" ];

    services.hedgedoc = {
      enable = true; # FIXME: make it load
      environmentFile = config.sops.secrets."hedgedoc/env-file".path;

      settings.host = "localhost";
      settings.port = 44776;

      # reverse proxy
      settings.domain = mkDomain "hedgedoc";
      settings.hsts.enale = true;
      settings.useSSL = false; # we terminate ssl with nginx
      settings.protocolUseSSL = true; # https:// prefix
      settings.urlAddPort = false;

      settings.db.dialect = "sqlite";
      settings.db.storage = "${config.services.hedgedoc.workDir}/db.sqlite";

      settings.email = false; #  email sign-in
      settings.allowFreeURL = true; #  allow note creation by accessing a nonexistent note URL.
      #settings.allowAnonymous = false; # default is true
      settings.allowEmailRegister = false; # default is true
      settings.allowAnonymousEdits = false; # default is false
      #settings.uploadsPath

      # content security policy
      #settings.csp = {
      #  enable = true;
      #  addDefaults = true;
      #  upgradeInsecureRequest = "auto";
      #  #directives.scriptSrc = "trustworthy.scripts.example.com";
      #};

      #settings.useCDN = true;
      #settings.debug = true;
      # there are also a metric fuckton of integration services, like github, twitter, minio, mattermost, dropbox etc.
      # there are also auth options, like ldap, saml and oauth2
    };
    services.nginx.virtualHosts.${mkDomain "hedgedoc"} = lib.mkIf config.services.hedgedoc.enable {
      forceSSL = true; # addSSL = true;
      enableACME = true; #useACMEHost = acmeDomain;
      locations."/" = {
        proxyPass = "http://localhost:${toString config.services.hedgedoc.settings.port}";
        proxyWebsockets = true;
        # TODO: proxy headers:
        # https://docs.hedgedoc.org/guides/reverse-proxy/
        extraConfig = ''
          auth_basic           "Ke 'e e u vill?!?";
          auth_basic_user_file ${config.sops.secrets."hedgedoc/htpasswd".path};

          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
        '';
      };
      extraConfig= ''
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        add_header Referrer-Policy strict-origin-when-cross-origin;
      '';
    };
}