{ config, pkgs, ... }:

let
  format = pkgs.formats.json { };

  jwtSecretFileTemplate = format.generate "local.json" {
    services = {
      CoAuthoring = {
        token = {
          enable = {
            request = {
              inbox = true;
              outbox = true;
            };
            browser = true;
          };
        };
        secret = {
          inbox = {
            string = "$ONLYOFFICE_PASS";
          };
          outbox = {
            string = "$ONLYOFFICE_PASS";
          };
          session = {
            string = "$ONLYOFFICE_PASS";
          };
        };
      };
    };
  };
  jwtSecretFile = "/var/lib/onlyoffice/local.json";
in
{
  sops.secrets = {
    onlyoffice-pass = {
      sopsFile = ../../secrets/chene.yaml;
      owner = "onlyoffice";
    };
  };

  services.onlyoffice = {
    enable = true;

    port = 8000;

    hostname = "onlyoffice.crans.org";
    postgresHost = "tealc.adm.crans.org";
    postgresName = "onlyoffice";
    postgresUser = "onlyoffice";
    postgresPasswordFile = config.sops.secrets.onlyoffice-pass.path;

    jwtSecretFile = jwtSecretFile;
  };

  systemd.services.onlyoffice-docservice-secret = {
    description = "Écriture du JWT Secret File pour OnlyOffice";

    wantedBy = [ "onlyoffice-docservice.service" ];
    before = [ "onlyoffice-docservice.service" ];

    path = [ pkgs.envsubst ];
    script = ''
      ONLYOFFICE_PASS="$(<${config.sops.secrets.onlyoffice-pass.path})";
      "envsubst -i ${jwtSecretFileTemplate} -o ${jwtSecretFile}"
    '';

    serviceConfig = {
      User = "onlyoffice";
      Group = "onlyoffice";

      Type = "simple";
      StateDirectory = "onlyoffice";
    };
  };
}