{ config, ... }:

{
  services.karakeep = {
    enable = true;
    extraEnvironment = {
      PORT = "8023";

      OAUTH_WELLKNOWN_URL = "https://${config.homelab.authDomain}/oauth2/openid/karakeep/.well-known/openid-configuration";
      OAUTH_PROVIDER_NAME = "${config.homelab.domain}";
      NEXTAUTH_URL = "https://karakeep.${config.homelab.domain}";

      DISABLE_PASSWORD_AUTH	= "true";
      OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING = "true";
    };

    # put OAUTH_CLIENT_SECRET and OAUTH_CLIENT_ID in file
    # https://docs.karakeep.app/configuration/environment-variables#authentication--signup
    environmentFile = "/media/secrets/karakeep";
  };

  systemd.tmpfiles.rules = [
    "f /media/secrets/karakeep 0400 karakeep karakeep"
  ];
  
  fileSystems."/var/lib/karakeep" = {
    device = "/media/apps/karakeep";
    options = [ "bind" ];
  };

  services.caddy.virtualHosts."karakeep.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:8023
      import block_non_private_ips
    '';
  };
}