{ config, ... }:

{
  services.collabora-online = {
    enable = true;

    settings = {
      ssl = {
        enable = false;
        termination = true;
      };

      net = {
        listen = "loopback";
        post_allow.host = ["::1" "172.0.0.1"];
      };

      # ouvre seulement les fichiers depuis nextcloud
      storage.wopi = {
        "@allow" = true;
        host = ["nextcloud.crans.org" "nextcloud.adm.crans.org"];
      };

      admin_console.enable_pam = true;

      server_name = "collabora.crans.org";
    };
  };

  # Authentification pour la console d'administration (accès pour les nounous)
  security.pam.services.coolwsd = {
    unixAuth = true;
    requireWheel = true;
    rules.auth.wheel = {
      order = config.security.pam.services.login.rules.auth.ldap.order + 10;
      settings.group = "_nounou";
    };
  };

  services.nginx = {
    enable = true;

    virtualHosts = {
      "collabora.crans.org" = {
        locations."/" = {
          proxyPass = "http://localhost:${toString config.services.collabora-online.port}";
          proxyWebsockets = true; # collabora a besoin des websockets
        };
      };
      "collabora.adm.crans.org" = {
        locations."/" = {
          proxyPass = "http://localhost:${toString config.services.collabora-online.port}";
          proxyWebsockets = true; # collabora a besoin des websockets
        };
      };
    };
  };
}