{
  config,
  lib,
  namespace,
  ...
}:
let
  name = "collabora";
  cfg = config.${namespace}.services.${name};
  topology = lib.${namespace}.network;

  collaboraConfig = lib.${namespace}.mkModule {
    inherit config name;
    serviceName = "coolwsd";
    description = "collabora code server";
    options = { };
    moduleConfig = {
      services.collabora-online = {
        enable = true;
        inherit (cfg) port;
        settings = {
          # Rely on reverse proxy for SSL
          ssl = {
            enable = false;
            termination = true;
          };

          # Listen on loopback interface only, and accept requests from ::1
          net = {
            listen = cfg.listenAddress;
            post_allow.host = [
              "cloud.mjallen.dev"
              "office.mjallen.dev"
              topology.hosts.nas.lan
              topology.subnet.lan
            ];
            frame_ancestors = "cloud.mjallen.dev";
          };

          # Restrict loading documents from WOPI Host
          storage.wopi = {
            "@allow" = true;
            "allow" = true;
            host = [ "https://cloud.mjallen.dev:443" ];
          };

          # Set FQDN of server
          server_name = "office.mjallen.dev";
        };

        aliasGroups = [
          {
            host = "https://cloud.mjallen.dev:443";
          }
        ];
      };
    };
  };
in
{
  imports = [ collaboraConfig ];
}