{
  pkgs,
  config,
  secrets,
  ...
}:
let
  port = 5984;
in
{
  sops.secrets.obsidian-sync = {
    sopsFile = "${secrets}/obsidian-sync.ini";
    format = "ini";
    owner = "couchdb";
  };

  services.couchdb = {
    enable = true;
    inherit port;
    package = pkgs.couchdb3;
    configFile = config.sops.secrets.obsidian-sync.path;

    extraConfig = {
      chttpd = {
        require_valid_user = true;
        enable_cors = true;
        max_http_request_size = 4294967296;
      };

      chttpd_auth.require_valid_user = true;
      httpd = {
        WWW-Authenticate = ''Basic realm="couchdb"'';
        enable_cors = true;
      };

      couchdb.max_document_size = 50000000;

      cors = {
        credentials = true;
        headers = "accept, authorization, content-type, origin, referer";
        methods = "GET,PUT,POST,HEAD,DELETE";
        max_age = 3600;
        origins = "app://obsidian.md,capacitor://localhost,http://localhost,https://localhost,capacitor://obsidian.donsz.nl,http://obsidian.donsz.nl,https://obsidian.donsz.nl";
      };
    };
  };

  services.nginx.virtualHosts."obsidian.donsz.nl" = {
    forceSSL = true;
    enableACME = true;
    extraConfig = ''
      client_max_body_size 512M;
    '';
    locations."/".proxyPass = "http://localhost:${toString port}";
  };
}