{ config, lib, pkgs, ... }:

{

  # neo4j container managment
  # -------------------------

  virtualisation.oci-containers.containers =
    let
      neo4j_config = {
        image = "neo4j";
        environment = {
          NEO4J_AUTH = "none"; # for development purpose
          NEO4J_apoc_export_file_enabled = "true";
          NEO4J_apoc_import_file_enabled = "true";
          NEO4J_apoc_import_file_use__neo4j__config = "true";
          NEO4JLABS_PLUGINS = ''["apoc","n10s"]'';
        };
        ports = [
          "127.0.0.1:7474:7474" # http port
          "127.0.0.1:17687:7687" # bolt port
        ];
        volumes = [
          "/var/lib/neo4j/data:/data"
          "/var/lib/neo4j/logs:/logs"
          "/var/lib/neo4j/conf:/conf"
          "/var/lib/neo4j/import:/import" # for database imports
          "/var/lib/neo4j/plugins:/plugins"

        ];
      };
    in
    {
      neo4j = neo4j_config;
      #neo4jbackup = neo4j_config // {
      #  autoStart = false;
      #  volumes = [
      #    "/var/lib/neo4j/data:/data"
      #    "/var/lib/neo4j/backups:/backups"
      #  ];
      #  cmd = ["neo4j-admin" "dump" "--verbose" "--to=/backups/neo4j.dump"];
      #};
    };

  #systemd.services."docker-neo4jbackup" = {
  #  preStart = "systemctrl stop docker-neo4j";
  #  postStop = "systemctrl start docker-neo4j";
  #};


  # backups
  # -------
  backup.dirs = [ "/var/lib/neo4j/backups" ];

  # todo run frequently :
  # docker exec --interactive --tty  neo4j neo4j-admin dump --verbose --to /dump/neo4j.dump
  # https://neo4j.com/docs/operations-manual/current/docker/maintenance/


  # nginx publishing
  # ----------------
  services.nginx.streamConfig = ''
    # configure neo4j bolt port
    server {
        allow 192.168.0.0/16; # allow private ip range class c
        allow ${config.module.cluster.services.tinc."private".networkSubnet}; # allow private tinc network
        deny all;
        listen 7687;
        proxy_pass localhost:17687;
    }
  '';

  services.nginx.virtualHosts."neo4j.${config.networking.hostName}.private" = {
    serverAliases = [ config.networking.hostName ];
    locations."/" = {
      extraConfig = ''
        allow 192.168.0.0/16; # allow private ip range class c
        allow ${config.module.cluster.services.tinc."private".networkSubnet}; # allow private tinc network
        deny all;
      '';
      proxyPass = "http://localhost:7474";
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 7687 ];
  #networking.firewall.allowedUDPPorts = [ 80 ];


}