{ config, pkgs, lib, mkDomain, ... }:
{
    # hedgedoc
    # Realtime collaborative markdown notes on all platforms

    services.hedgedoc = {
      #enable = true; # FIXME: make it load
      settings.host = "127.0.0.1";
      settings.port = 44776;
      settings.db.dialect = "sqlite";
      settings.db.storage = "${config.services.hedgedoc.workDir}/db.hedgedoc.sqlite";
      settings.domain = mkDomain "hedgedoc";
      settings.allowAnonymous = true;
      settings.allowEmailRegister = false; # default is true
      settings.allowAnonymousEdits = false; # default is false
      settings.protocolUseSSL = true; # https prefix
      settings.useSSL = false; # nginx terminates ssl
      #settings.csp = {TODO}; # content security policy
      #settings.useCDN = true;
      #settings.debug = true;
      # there are also a metric fuckton of integration services, like github, twitter, minio, mattermost, dropbox etc.
      # there are also auth options, like ldap, saml and oauth2
    };
    services.nginx.virtualHosts.${mkDomain "hedgedoc"} = lib.mkIf config.services.hedgedoc.enable {
      forceSSL = true; # addSSL = true;
      enableACME = true; #useACMEHost = acmeDomain;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.settings.port}";
        proxyWebsockets = true;
        # TODO: proxy headers:
        # https://docs.hedgedoc.org/guides/reverse-proxy/
      };
    };
}