# ssh-keygen -f /etc/ssh/ssh_host_ed25519_key
# ssh-keygen -f ~/.ssh/<name>.containers
# edit secrets file
# agenix -e secret.age

{ inputs, config, lib, pkgs, ... }:

{
  containers = {
    nextcloud = {
      privateNetwork = true;
      # hostAddress = "192.168.12.40";
      localAddress = "192.168.12.71/24";
      hostBridge = "br0";
      autoStart = true;
      bindMounts = {
        "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
      };

      config = { config, pkgs, ... }:
      {
        networking.firewall.allowedTCPPorts = [ 80 ];

        imports = [ inputs.agenix.nixosModules.default ];

        age = {
          identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
          secrets."nextcloud" = {
            file = ../secrets/nextcloud.age;
            mode = "770";
            owner = "nextcloud";
            group = "nextcloud";
          };
        };

        services.openssh = {
          enable = true;
          ports = [ 22 ];
          settings = {
            PasswordAuthentication = true;
            AllowUsers = [ "wayne" ]; # Allows all users by default. Can be [ "user1" "user2" ]
            UseDns = true;
            X11Forwarding = false;
            PermitRootLogin = "no"; # "yes", "without-password", "prohibit-password", "forced-commands-only", "no"
          };
        };

        services.nextcloud = {
          enable = true;
          package = pkgs.nextcloud30;
          hostName = "nextcloud";
          https = false;
          database.createLocally = true;
          configureRedis = true;
          autoUpdateApps.enable = true;
          maxUploadSize = "16G";
          extraAppsEnable = true;
          appstoreEnable = true;
          extraApps = with config.services.nextcloud.package.packages.apps; {
            # List of apps we want to install and are already packaged in
            # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
            inherit calendar contacts mail notes onlyoffice tasks qownnotesapi;

            # Custom app installation example.
            # cookbook = pkgs.fetchNextcloudApp rec {
            #   url =
            #     "https://github.com/nextcloud/cookbook/releases/download/v0.10.2/Cookbook-0.10.2.tar.gz";
            #   sha256 = "sha256-XgBwUr26qW6wvqhrnhhhhcN4wkI+eXDHnNSm1HDbP6M=";
            # };
          };
          enableImagemagick = true;

          settings = {
            default_phone_region = "US";
            trusted_domains = [ "localhost" "launchpad" "192.168.12.40" "192.168.12.71" ];
          };

          config = {
            dbtype = "pgsql";
            adminuser = "nextcloud";
            adminpassFile = config.age.secrets.nextcloud.path;
          };
        };

        system.stateVersion = "24.05";
      };
    };

    livebook = {
      autoStart = true;
      privateNetwork = true;
      hostBridge = "br0";
      localAddress = "192.168.12.72/24";
      bindMounts = {
        "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
      };

      config = { config, pkgs, ... }:
      {
        networking.firewall.allowedTCPPorts = [ 80 ];

        imports = [ inputs.agenix.nixosModules.default ];

        age = {
          identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
          secrets."whayes" = {
            file = ../secrets/whayes.age;
            mode = "770";
            owner = "wayne";
            group = "wayne";
          };
        };

        services.livebook = {
          enableUserService = true;
          environment = {
            LIVEBOOK_PORT = 20123;
            LIVEBOOK_PASSWORD = config.age.secrets.whayes.path;
          };
          # See note below about security
          environmentFile = "/var/lib/livebook.env";
          extraPackages = with pkgs; [ gcc gnumake ];
        };

        system.stateVersion = "24.05";
      };
    };

    grocy = {
      autoStart = true;
      privateNetwork = true;
      hostBridge = "br0";
      localAddress = "192.168.12.73/24";
      bindMounts = {
        "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
      };

      config = { config, pkgs, ... }:
      {
        networking.firewall.allowedTCPPorts = [ 80 ];

        imports = [ inputs.agenix.nixosModules.default ];

        age = {
          identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
          secrets."whayes" = {
            file = ../secrets/whayes.age;
            mode = "770";
            owner = "wayne";
            group = "wayne";
          };
        };

        services.grocy = {
          enable = true;
          hostName = "grocy";
          settings = {
            currency = "USD";
            culture = "en";
          };
          nginx = {
            enableSSL = false;
          };
          phpfpm = {
            settings = {
              catch_workers_output = true;
              "listen.owner" = "nginx";
              "php_admin_flag[log_errors]" = true;
              "php_admin_value[error_log]" = "stderr";
              pm = "dynamic";
              "pm.max_children" = "32";
              "pm.max_requests" = "500";
              "pm.max_spare_servers" = "4";
              "pm.min_spare_servers" = "2";
              "pm.start_servers" = "2";
            };
          };
        };

        system.stateVersion = "24.05";
      };
    };

    onlyoffice = {
      autoStart = true;
      privateNetwork = true;
      hostBridge = "br0";
      localAddress = "192.168.12.74/24";
      bindMounts = {
        "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
      };

      config = { config, lib, pkgs, ... }:
      {
        networking.firewall.allowedTCPPorts = [ 80 ];
        nixpkgs.config.allowUnfree = true;
        nixpkgs.config.allowUnfreePredicate = pkg:
          builtins.elem (lib.getName pkg) [ "corefonts" ];

        fonts.packages = with pkgs; [
          corefonts
        ];
        imports = [ inputs.agenix.nixosModules.default ];

        age = {
          identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
          secrets."onlyoffice" = {
            file = ../secrets/onlyoffice-jwt.age;
            mode = "770";
            owner = "onlyoffice";
            group = "onlyoffice";
          };
        };

        services.onlyoffice = {
          enable = true;
          port = 8000;
          hostname = "onlyoffice";
          package = pkgs.onlyoffice-documentserver;
          jwtSecretFile = config.age.secrets.onlyoffice.path;
          enableExampleServer = true;
          examplePort = 8001;
        };

        system.stateVersion = "24.05";
      };
    };

    # template = {
    #   autoStart = true;
    #    privateNetwork = true;
    #    hostBridge = "br0";
    #    localAddress = "192.168.12.73/24";
    #   bindMounts = {
    #     "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
    #   };

    #   config = { config, pkgs, ... }:
    #   {
          # networking.firewall.allowedTCPPorts = [ 80 ];
    #     imports = [ inputs.agenix.nixosModules.default ];

    #     age = {
    #       identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    #       secrets."whayes" = {
    #         file = ../secrets/whayes.age;
    #         mode = "770";
    #         owner = "wayne";
    #         group = "wayne";
    #       };
    #     };

    #     services.name = { ... };

    #     system.stateVersion = "24.05";
    #   };
    # };
  };
}