{ config, lib, pkgs, ... }:

{
  sops.secrets.ocis-admin-password = {
    owner = "ocis";
  };

  # Upstream services.ocis module adds ReadOnlyPaths = [ configDir ] to the
  # systemd unit, which makes systemd fail the namespace setup if the path
  # does not exist, and it never runs `ocis init` to populate ocis.yaml with
  # the service's internal secrets. Run init in a separate oneshot so the
  # sandbox restrictions of ocis.service don't block writes to configDir.
  systemd.services.ocis-init = {
    description = "Initialize oCIS config (one-shot)";
    before = [ "ocis.service" ];
    requiredBy = [ "ocis.service" ];
    wantedBy = [ "multi-user.target" ];

    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      User = "ocis";
      Group = "ocis";
      StateDirectory = "ocis";
      LoadCredential = "admin-password:${config.sops.secrets.ocis-admin-password.path}";
    };

    script = ''
      install -d -m 0700 /var/lib/ocis/config
      if [ ! -f /var/lib/ocis/config/ocis.yaml ]; then
        ${lib.getExe pkgs.ocis_5-bin} init \
          --config-path /var/lib/ocis/config \
          --admin-password "$(cat "$CREDENTIALS_DIRECTORY/admin-password")" \
          --insecure true
      fi
    '';
  };

  services.ocis = {
    enable = true;
    url = "https://files.cloonar.com";
    address = "127.0.0.1";
    port = 9200;
    stateDir = "/var/lib/ocis";
    configDir = "/var/lib/ocis/config";
    environment = {
      # Proxy - SSL terminated at nginx
      PROXY_TLS = "false";
      OCIS_INSECURE = "false";

      # OIDC - Authelia
      PROXY_OIDC_ISSUER = "https://auth.cloonar.com";
      PROXY_OIDC_REWRITE_WELLKNOWN = "true";
      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD = "none";
      PROXY_OIDC_SKIP_USER_INFO = "false";
      WEB_OIDC_CLIENT_ID = "ocis";

      # Auto-provision user accounts from OIDC claims
      PROXY_AUTOPROVISION_ACCOUNTS = "true";
      PROXY_AUTOPROVISION_CLAIM_USERNAME = "preferred_username";
      PROXY_AUTOPROVISION_CLAIM_EMAIL = "email";
      PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME = "name";
      PROXY_AUTOPROVISION_CLAIM_GROUPS = "groups";

      # Disable demo users
      IDM_CREATE_DEMO_USERS = "false";

      # Move internal services off their defaults where Prometheus exporters
      # already bind on this host:
      #   - node-exporter owns 9100 (oCIS web default)
      #   - blackbox-exporter owns 9115 (oCIS webdav default)
      WEB_HTTP_ADDR = "127.0.0.1:19100";
      WEBDAV_HTTP_ADDR = "127.0.0.1:19115";
    };
  };

  # Nginx reverse proxy
  services.nginx.virtualHosts."files.cloonar.com" = {
    forceSSL = true;
    enableACME = true;
    acmeRoot = null;

    locations."/" = {
      proxyPass = "http://127.0.0.1:9200";
      proxyWebsockets = true;
      extraConfig = ''
        client_max_body_size 10G;
        proxy_read_timeout 600s;
        proxy_send_timeout 600s;
      '';
    };
  };
}