nixcfg/systems/x86_64-linux/mx/nextcloud-opencode-bot/default.nix

{ config, ... }:
{
  imports = [ ./module.nix ];

  services.nextcloud-opencode-bot = {
    enable = true;
    nextcloudUrl = "https://nc.hoyer.xyz";
    botSecretFile = config.sops.secrets."nextcloud-opencode-bot/secret".path;
    modelBaseUrl = "http://halo.hoyer.tail:8000/v1";
    model = "halo-8000";
    botName = "Halo";
    allowedUsers = [ ];
  };

  sops.secrets."nextcloud-opencode-bot/secret" = {
    sopsFile = ../../../../.secrets/hetzner/nextcloud-opencode-bot.yaml;
    restartUnits = [ "nextcloud-opencode-bot.service" ];
    owner = "opencode-bot";
  };

  # Nginx location for Nextcloud to send webhooks to the bot
  services.nginx.virtualHosts."nc.hoyer.xyz".locations."/_opencode-bot/" = {
    proxyPass = "http://127.0.0.1:8086/";
    extraConfig = ''
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      # Only allow from localhost (Nextcloud on same server)
      allow 127.0.0.1;
      deny all;
    '';
  };
}