{ config, pkgs, ... }:
let
  domain = "seafile.${config.networking.domain}";
in
{
  services.seafile = {
    enable = true;
    adminEmail = "admin@rfive.de";
    initialAdminPassword = "unused garbage";
    ccnetSettings.General.SERVICE_URL = "https://${domain}";
    ccnetSettings.General.FILE_SERVER_ROOT = "https://${domain}/seafhttp";
    seafileSettings.fileserver.port = 8083;
    seahubExtraConf = ''
      ENABLE_OAUTH = True
      OAUTH_ENABLE_INSECURE_TRANSPORT = True

      OAUTH_CLIENT_ID = "seafile"
      with open('/var/lib/seafile/.oidcSecret') as f:
        OAUTH_CLIENT_SECRET = f.readline().rstrip()
      OAUTH_REDIRECT_URL = 'https://seafile.rfive.de/oauth/callback/'
 
      OAUTH_PROVIDER_DOMAIN   = 'seafile.rfive.de'
      OAUTH_AUTHORIZATION_URL = 'https://auth.rfive.de/application/o/authorize/'
      OAUTH_TOKEN_URL         = 'https://auth.rfive.de/application/o/token/'
      OAUTH_USER_INFO_URL     = 'https://auth.rfive.de/application/o/userinfo/'
      OAUTH_SCOPE = [ "openid", "profile", "email"]
      OAUTH_ATTRIBUTE_MAP = {
          "id":    (False, "not used"),
          "name":  (False, "full name"),
          "email": (True, "email"),
      }
    '';
  };
  services.caddy.virtualHosts."${domain}".extraConfig = ''
    redir /accounts/login /oauth/login
    reverse_proxy unix//run/seahub/gunicorn.sock
    route /media/* {
      root * ${pkgs.seahub}
    }

    route /seafhttp/* {
      uri strip_prefix /seafhttp
      reverse_proxy 127.0.0.1:${toString config.services.seafile.seafileSettings.fileserver.port}
    }
  '';
}