{ config, lib, pkgs, ... }:
let
  hedgedoc-patched = pkgs.hedgedoc.overrideAttrs (old: {
    src = pkgs.fetchgit {
      url = "https://stuebinm.eu/git/hedgedoc";
      rev = "b0f98a43381486995b99ed79e0eabb3af149dbf3";
      sha256 = "1199k5q8wampkw2ri4wgwzqgh1ff0l4kdxx9h8ywqy2f7faf922c";
    };
  });
in
{
    # Container containing CodiMD and its database
  # has its own internal network; needs a reverse-proxy to be reachable from the outside
  # TODO: persistent memory for pads
  containers.codimd = { 
    autoStart = true;
    privateNetwork = true;
    hostAddress6 = "fd00::42:10";
    localAddress6 = "fd00::42:11";
    
    config = {config, pkgs, ... }: {
      # open CodiMD port
      networking.firewall.allowedTCPPorts = [ config.services.hedgedoc.configuration.port ];

      # database (postgres 11), with default database reachable for CodiMD; no imperative config needed!
      services.postgresql = {
        enable = true;
        package = pkgs.postgresql_11;
        ensureDatabases = [ "codimd" ];
        ensureUsers = [ {
          name = "hedgedoc";
          ensurePermissions = { "DATABASE codimd" = "ALL PRIVILEGES";};
        } ];
        # ugly workaround to allow CodiMD to login without password — this service has lots of options,
        # but apparently not for authentification, which even needs to be forced …
        authentication = pkgs.lib.mkForce ''
          # Generated file; do not edit!
          local all all              trust
          host  codimd hedgedoc  ::1/18       trust
          host  codimd codimd ::1/128      trust
        '';
      };
      # CodiMD itself
      services.hedgedoc = {
        enable = true;
        workDir = "/var/codimd/";
        configuration = {
          dbURL = "postgres:///codimd";
          port = 3000;
          domain = "nix.stuebinm.eu";
          urlAddPort = false;
          protocolUseSSL = true;
          allowPDFExport = true;
          host = "::";
          allowEmailRegister = false;
          allowFreeURL = true;
          uploadsPath = "/var/codimd/uploads";
          #email = false;
        };
      };

      systemd.services.hedgedoc.serviceConfig.ExecStart = pkgs.lib.mkForce "${hedgedoc-patched}/bin/hedgedoc";
    };
  };

    
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.nginx.virtualHosts."nix.stuebinm.eu" = {
    locations."/" = {
      proxyPass = "http://[" + config.containers.codimd.localAddress6 + "]:3000";
      proxyWebsockets = true;
    };
    forceSSL = true;
    enableACME = true;
  };
}