{ config, lib, pkgs, ... }:
let
  cfg = config.profile.services.couchdb;
  inherit (lib) mkIf;
in
{
  config = mkIf cfg.enable {
    sops = {
      secrets = let opts = { sopsFile = ../../secrets/couchdb.yaml; }; in {
        "couchdb/admin/username" = opts;
        "couchdb/admin/password" = opts;
      };
      templates."couchdb.ini" = {
        content = builtins.readFile ((pkgs.formats.ini { }).generate "couchdb.ini" {
          admins = {
            ${config.sops.placeholder."couchdb/admin/username"} = config.sops.placeholder."couchdb/admin/password";
          };
          chttpd = {
            require_valid_user = true;
            max_http_request_size = 4294967296;
          };
          chttpd_auth = {
            require_valid_user = true;
          };
          httpd = {
            WWW-Authenticate = ''Basic realm="couchdb"'';
            enable_cors = true;
          };
          couchdb = {
            max_document_size = 50 * 1000 * 1000;
          };
          cors = {
            credentials = true;
            origin = "*";
          };
        });
        owner = config.services.couchdb.user;
      };
    };

    services.caddy.virtualHosts."couchdb.tigor.web.id".extraConfig = ''
      @obsidian header Origin "app://obsidian.md"
      header @obsidian {
        Access-Control-Allow-Origin "app://obsidian.md"
        Access-Control-Allow-Methods "OPTIONS,HEAD,GET,POST,PUT,PATCH,DELETE"
        Access-Control-Allow-Credentials "true"
        Access-Control-Allow-Headers "Authorization,Content-Type"
        defer
      }
      @options method OPTIONS
      respond @options 204

      reverse_proxy localhost:5984
    '';

    services.couchdb = {
      enable = true;
      configFile = config.sops.templates."couchdb.ini".path;
    };
  };
}