{ inputs, pkgs, lib, config, ... }:
let
  endpoint = "s3.${region}.backblazeb2.com";
  region = "eu-central-003";
  accessKeyId = "0030c2377ff19920000000002";

  inherit (config.sops) secrets;
in {
  imports = [ ./sops.nix ];

  # Forgejo

  services.forgejo.settings.storage = {
    STORAGE_TYPE = "minio";
    MINIO_USE_SSL = true;
    MINIO_ENDPOINT = endpoint;
    MINIO_ACCESS_KEY_ID = accessKeyId;
    MINIO_SECRET_ACCESS_KEY = "#BACKBLAZE_APPLICATION_SECRET#";
    MINIO_BUCKET = "jhemono-forgejo";
    MINIO_LOCATION = region;
  };

  sops.secrets = {
    forgejo_backblaze_application_secret = {
      key = "backblaze_application_secret";
      owner = config.services.forgejo.user;
      inherit (config.services.forgejo) group;
    };
  };

  # Replace the placefoler for the secret with actual value on pre-start
  systemd.services.forgejo = {
    preStart = let
      runConfig = "${config.services.forgejo.customDir}/conf/app.ini";
      replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
      storageSettings = config.services.forgejo.settings.storage;
    in ''
      chmod u+w '${runConfig}'
      ${replaceSecretBin} '${storageSettings.MINIO_SECRET_ACCESS_KEY}' '${secrets.forgejo_backblaze_application_secret.path}' '${runConfig}'
      chmod u-w '${runConfig}'
    '';
  };

  # Nextcloud
  sops.secrets = {
    nextcloud_backblaze_application_secret = {
      key = "backblaze_application_secret";
      owner = "nextcloud";
      group = "nextcloud";
    };
  };

  services.nextcloud.config.objectstore.s3 = {
    enable = true;
    bucket = "seitan-nextcloud";
    autocreate = true;
    key = accessKeyId;
    secretFile = secrets.nextcloud_backblaze_application_secret.path;
    hostname = endpoint;
    useSsl = true;
    port = 443;
    region = region;
  };

}