{
  config,
  lib,
  namespace,
  ...
}:
let
  inherit (lib.${namespace}) mkOpt mkReverseProxyOpt;
  cfg = config.${namespace}.services.collabora;

  jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path;
in
{
  options.${namespace}.services.collabora = with lib; {
    enable = lib.mkEnableOption "";

    port = mkOpt types.int 9980 "Port for opencloud to be hosted on";

    configPath = mkOpt types.str "/media/nas/main/nix-app-data/collabora" "Path to the data dir";

    puid = mkOpt types.str "911" "puid";

    pgid = mkOpt types.str "1000" "pgid";

    timeZone = mkOpt types.str "America/Chicago" "container tz";
  };

  config = lib.mkIf cfg.enable {
    services.collabora-online = {
      enable = true;
      port = cfg.port;
      settings = {
        # Rely on reverse proxy for SSL
        ssl = {
          enable = false;
          termination = true;
        };

        # Listen on loopback interface only, and accept requests from ::1
        net = {
          listen = "0.0.0.0";
          post_allow.host = [
            "cloud.mjallen.dev"
            "office.mjallen.dev"
            "10.0.1.3"
            "10.0.1.0/24"
          ];
          frame_ancestors = "cloud.mjallen.dev";
        };

        # Restrict loading documents from WOPI Host
        storage.wopi = {
          "@allow" = true;
          host = ["cloud.mjallen.dev"];
        };

        # Set FQDN of server
        server_name = "office.mjallen.dev";
      };
    };
  };
}