{ config, pkgs, lib, ... }:

{
  imports = [ ./flowback-options.nix ];

  # Enable nginx + ACME (TLS). Works when DNS points correctly.
  services.nginx.enable = true;

  security.acme.acceptTerms = true;
  # I will change this email later
  security.acme.defaults.email = "new.fadi.b@gmail.com";

  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud33;
    hostName = config.services.flowback.nextcloudHost;
    https = true;

    # Performance / reliability
    configureRedis = true;

    # DB locally (Postgres) — production-ready baseline
    database.createLocally = true;

    # Admin bootstrap secret will be wired via sops later.
    # For now, placeholder: you’ll set adminpassFile via sops secret.
    config = {
      adminuser = "admin";
      adminpassFile = "/var/lib/sops-nix/nextcloud-adminpass";
      dbtype = "pgsql";
    };
  };

  services.nginx.virtualHosts.${config.services.flowback.nextcloudHost} = {
    forceSSL = true;
    enableACME = true;
  };
}