# NixOps configuration for the hosts running Nextcloud
{
  config,
  pkgs,
  lib,
  ...
}: {
  imports = [../secrets/nextcloud.nix];

  services.nextcloud = {
    enable = true; # Enable Nextcloud
    hostName = "cloud.mcwhirter.io"; # FQDN for the Nextcloud instance
    https = true; # Use HTTPS for links
    config = {
      # Configure Nextcloud
      dbtype = "pgsql"; # Set the database type
      dbname = "nextcloud"; # Set the database name
      dbhost = "/run/postgresql"; # Set the database connection
      dbuser = "nextcloud"; # Set the database user
      dbpassFile = "/run/keys/nextcloud-dbpass"; # Where to find the database password
      adminpassFile = "/run/keys/nextcloud-admin"; # Where to find the admin password
      adminuser = "root"; # Set the admin user name
      overwriteProtocol = "https"; # Force Nextcloud to always use HTTPS
      defaultPhoneRegion = "AU"; # Country code for automatic phone-number detection
    };
    autoUpdateApps = {
      enable = true; # Run regular auto update of all apps installed
      startAt = "01:00:00"; # When to run the update
    };
    enableBrokenCiphersForSSE = false; # force upgrade to SSL v3
    package = pkgs.nextcloud25;
  };

  systemd = {
    services = {
      nextcloud = {
        # Ensure nextcloud starts after nixops keys are loaded
        after = ["nextcloud-dbpass-key.service"];
        wants = ["nextcloud-dbpass-key.service"];
      };
    };
  };

  services.postgresql = {
    enable = true; # Ensure postgresql is enabled
    ensureDatabases = ["nextcloud"]; # Ensure the database persists
    ensureUsers = [
      {
        name = "nextcloud"; # Ensure the database user persists
        ensurePermissions = {
          # Ensure the database permissions persist
          "DATABASE nextcloud" = "ALL PRIVILEGES";
          "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
        };
      }
    ];
  };

  services.postgresqlBackup.databases = ["nextcloud"];

  services.nginx = {
    enable = true; # Enable Nginx
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts."cloud.mcwhirter.io" = {
      # Nextcloud hostname
      enableACME = true; # Use ACME certs
      forceSSL = true; # Force SSL
    };
    virtualHosts."owncloud.mcwhirter.io" = {
      # Hostname to be redirected
      globalRedirect = "cloud.mcwhirter.io"; # Redirect permanently to the host
    };
  };

  systemd.services."nextcloud-setup" = {
    # Ensure PostgreSQL is running first
    requires = ["postgresql.service"];
    after = ["postgresql.service"];
  };

  security.acme = {
    acceptTerms = true;
    certs = {"cloud.mcwhirter.io" = {email = "craige@mcwhirter.io";};};
  };

  users.groups.keys.members = ["nextcloud"]; # Required due to NixOps issue #1204
  users.groups.nextcloud.members = ["nextcloud"]; # Added for keys permissions

  networking.firewall.allowedTCPPorts = [80 443]; # Open the required firewall ports
}