{ config, pkgs, lib, ... }:

with lib;

let
  # Version tagging
  piholeVersion = "2026.02.0";
  # Helper
  helper = import ../service-helper.nix { inherit config pkgs lib; };
  cfg = config.numbus-server.services.pi-hole;
  # Container config
  name = "pi-hole";
  # DNS config
  dnsConfig = ''

  '';
in

helper.mkPodmanService {
  inherit name;
  description = "Pi-Hole, the ads black hole";
  defaultPort = "4443";
  scheme = "https";
  dataDirEnabled = false;
  startDelay = 10;
  dependencies = [
    "network.target"
  ];
  middlewares = [
    "secureHeaders" 
  ];
  dirPermissions = [
    "100999:100 ${cfg.configDir}"
  ];
  secrets = [
    "pi-hole/web_password"
  ];

# Compose file good
  composeText = ''
    services:
      pi-hole:
        image: docker.io/pihole/pihole:${piholeVersion}
        container_name: pi-hole
        hostname: pi-hole
        network_mode: pasta
        ports:
          - "${cfg.port}:443/tcp"
          - "53:53/tcp"
          - "53:53/udp"
        volumes:
          - ${cfg.configDir}:/etc/pihole
        environment:
          PIHOLE_UID: '1000'
          PIHOLE_GID: '1000'
          TZ: ${config.time.timeZone}
          FTLCONF_webserver_domain: ${cfg.subdomain}.${config.numbus-server.services.domain}
          FTLCONF_dns_domain_name: "${config.numbus-server.services.domain}"
          FTLCONF_webserver_api_password: ${config.sops.placeholder."pi-hole/web_password"}
          FTLCONF_dns_upstreams: 9.9.9.9;149.112.112.112
          FTLCONF_dns_listeningMode: "BIND"
          FTLCONF_dns_domain_local: "true"
          FTLCONF_dhcp_active: "false"
          FTLCONF_ntp_ipv4_active: "false"
          FTLCONF_ntp_ipv6_active: "false"
          FTLCONF_ntp_sync_active: "false"
        cap_add:
          - SYS_NICE
        restart: unless-stopped
  '';
}