# NixOps configuration for the hosts running Nextcloud
{
  config,
  pkgs,
  lib,
  ...
}: {
  age.secrets = {
    nextcloud-dbpass = {
      file = ../secrets/nextcloud-dbpass.age;
      path = "/run/keys/nextcloud-dbpass";
      mode = "0640";
      owner = "nextcloud";
      group = "nextcloud";
    };
    nextcloud-adminpass = {
      file = ../secrets/nextcloud-adminpass.age;
      path = "/run/keys/nextcloud-adminpass";
      mode = "0640";
      owner = "nextcloud";
      group = "nextcloud";
    };
  };
  services.nextcloud = {
    enable = true; # Enable Nextcloud
    hostName = "cloud.mcwhirter.io"; # FQDN for the Nextcloud instance
    https = true; # Use HTTPS for links
    config = {
      # Configure Nextcloud
      dbtype = "pgsql"; # Set the database type
      dbname = "nextcloud"; # Set the database name
      dbhost = "/run/postgresql"; # Set the database connection
      dbuser = "nextcloud"; # Set the database user
      dbpassFile = config.age.secrets.nextcloud-dbpass.path;
      adminpassFile = config.age.secrets.nextcloud-adminpass.path;
      adminuser = "root"; # Set the admin user name
    };
    autoUpdateApps = {
      enable = true; # Run regular auto update of all apps installed
      startAt = "01:00:00"; # When to run the update
    };
    package = pkgs.nextcloud30;
    extraApps = with config.services.nextcloud.package.packages.apps; {
      inherit bookmarks calendar contacts deck gpoddersync news notes tasks twofactor_webauthn;
    };
    extraAppsEnable = true;
    settings = {
      default_phone_region = "AU"; # Country code for automatic phone-number detection
      overwriteprotocol = "https"; # Force Nextcloud to always use HTTPS
    };
  };

  systemd = {
    services = {
      nextcloud = {
        # Ensure nextcloud starts after nixops keys are loaded
        after = ["nextcloud-dbpass-key.service"];
        wants = ["nextcloud-dbpass-key.service"];
      };
    };
  };

  services.postgresql = {
    enable = true; # Ensure postgresql is enabled
    authentication = ''
      local nextcloud all ident map=nextcloud-users
    '';
    identMap =
      # Map the nextcloud user to postgresql
      ''
        nextcloud-users nextcloud nextcloud
      '';
    ensureDatabases = ["nextcloud"]; # Ensure the database persists
    ensureUsers = [
      {
        name = "nextcloud"; # Ensure the database user persists
        ensureDBOwnership = true;
      }
    ];
  };

  services.postgresqlBackup.databases = ["nextcloud"];

  services.nginx = {
    enable = true; # Enable Nginx
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts."cloud.mcwhirter.io" = {
      # Nextcloud hostname
      enableACME = true; # Use ACME certs
      forceSSL = true; # Force SSL
    };
    virtualHosts."owncloud.mcwhirter.io" = {
      enableACME = true;
      forceSSL = true;
      globalRedirect = "cloud.mcwhirter.io"; # Redirect permanently to the host
    };
  };

  systemd.services."nextcloud-setup" = {
    # Ensure PostgreSQL is running first
    requires = ["postgresql.service"];
    after = ["postgresql.service"];
  };

  security.acme = {
    acceptTerms = true;
    certs = {
      "cloud.mcwhirter.io" = {email = "craige@mcwhirter.io";};
      "owncloud.mcwhirter.io" = {email = "craige@mcwhirter.io";};
    };
  };

  users.groups.keys.members = ["nextcloud"]; # Required due to NixOps issue #1204
  users.groups.nextcloud.members = ["nextcloud"]; # Added for keys permissions

  networking.firewall.allowedTCPPorts = [80 443]; # Open the required firewall ports
}