{ config, pkgs, ... }:

let

  outline = {
    hostname = "outline.${config.networking.domain}";
    mail = "outline@${config.networking.domain}";
  };

  # bootstrapping only
  # dex = {
  #   hostname = "dex.${config.networking.domain}";
  # };

in {

  services.outline = {
    enable = true;
    publicUrl = "https://${outline.hostname}";
    storage.storageType = "local";

    smtp = {
      username = "outline";
      passwordFile = "/var/custom-access/outline-smtp-password.txt";
      fromEmail = outline.mail;
      replyEmail = outline.mail;
      # host = "arielle.ktiu.net";
      host = "localhost";
      secure = false;
      # port = 587;
      port = 25;
    };

    # oidcAuthentication = {
    #   authUrl = "https://${dex.hostname}/auth";
    #   tokenUrl = "https://${dex.hostname}/token";
    #   userinfoUrl = "https://${dex.hostname}/userinfo";
    #   clientId = "outline";
    #   clientSecretFile = (builtins.elemAt config.services.dex.settings.staticClients 0).secretFile;
    #   scopes = [ "openid" "email" "profile" ];
    #   usernameClaim = "preferred_username";
    #   displayName = "Dex";
    # };
  };

  # services.dex = {
  #   enable = true;
  #   environmentFile = "/var/custom-access/dex-environemnt";
  #   settings = {
  #     issuer = "https://${dex.hostname}";
  #     storage.type = "sqlite3";
  #     web.http = "127.0.0.1:5556";
  #     staticClients = [
  #       {
  #         id = "outline";
  #         name = "Outline Client";
  #         redirectURIs = [ "https://${outline.hostname}/auth/oidc.callback" ];
  #         secretFile = "/var/custom-access/outline-oidc-secret.txt";
  #       }
  #     ];
  #     enablePasswordDB = true;
  #     staticPasswords = [
  #       {
  #         email = "till@ktiu.net";
  #         # gen hash with $ htpasswd -nBC 10 "" | tr -d ':\n'
  #         hash = "";
  #         username = "bootstrap-admin";
  #         # $ uuidgen
  #         userID = "";
  #       }
  #     ];
  #   };
  # };

  security.acme.certs."${config.networking.domain}".extraDomainNames = [
    "outline.${config.networking.domain}"
    # "dex.${config.networking.domain}"
  ];

  services.nginx.virtualHosts = {
    "outline.${config.networking.domain}" = {
      onlySSL = true;
      useACMEHost = config.networking.domain;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString config.services.outline.port}";
        proxyWebsockets = true;
        extraConfig = ''
          proxy_set_header X-Scheme $scheme;
        '';
      };
    };

    # "dex.${config.networking.domain}" = {
    #   onlySSL = true;
    #   useACMEHost = config.networking.domain;
    #   locations."/" = {
    #     proxyPass = "http://${config.services.dex.settings.web.http}";
    #     proxyWebsockets = true;
    #   };
    # };
  };
}