{ config, pkgs, lib, ... }:

with lib;

let
  # Container config
  name = "authelia";
  # Version tagging
  autheliaVersion = "v4.39.16";
  databaseVersion = "18.3";
  # Helper
  helper = import ../service-helper.nix { inherit config pkgs lib; };
  cfg = config.numbus-server.services.authelia;
  # Derive Base DN from domain (e.g., example.com -> dc=example,dc=com)
  domainParts = splitString "." config.numbus-server.services.domain;
  baseDN = concatStringsSep "," (map (p: "dc=${p}") domainParts);
  # Generate dynamic access control rules based on groups and allowedApps
  mkGroupRule = groupName: appName:
    let
      app = config.numbus-server.service.${appName} or {};
    in
    if app ? subdomain && app ? domain then ''
              - domain: "${app.subdomain}.${app.domain}"
                policy: two_factor
                subject: "group:${groupName}"''
    else "";
  allGroupRules = concatStringsSep "\n" (filter (s: s != "") (flatten (mapAttrsToList (groupName: groupCfg:
    map (appName: mkGroupRule groupName appName) (groupCfg.allowedApps or [])
  ) (config.numbus-server.groups or {}))));

  defaultRedirectionUrl =
    if config.numbus-server.services.homepage.enable then
      "https://${config.numbus-server.services.homepage.subdomain}.${config.numbus-server.services.domain}"
    else if config.numbus-server.services.dashy.enable then
      "https://${config.numbus-server.services.dashy.subdomain}.${config.numbus-server.services.domain}"
    else null;
in

helper.mkPodmanService {
  inherit name;
  pod = name;
  description = "Authelia, your own unified login provider";
  defaultPort = "9091";
  dependencies = [
    "sops-install-secrets.service"
    "traefik.service"
    "${config.numbus-server.services.dns}.service"
  ];
  middlewares = [
    "secureHeaders"
  ];
  dirPermissions = [
    "100999:100 ${cfg.configDir}"
  ];
  secrets = [
    "authelia/db_name"
    "authelia/db_username"
    "authelia/db_password"
    "authelia/jwt_secret"
    "authelia/session_secret"
    "authelia/storage_secret"
  ];

  composeText = ''
    services:
      authelia-server:
        image: ghcr.io/authelia/authelia:${autheliaVersion}
        container_name: authelia-server
        hostname: authelia-server
        user: '1000:1000'
        networks:
          authelia:
            ipv4_address: 10.89.251.253
        ports:
          - "${cfg.port}:9091/tcp"
        volumes:
          - ${cfg.configDir}/server:/config
        security_opt:
          - no-new-privileges:true
        cap_drop:
          - NET_RAW
        restart: unless-stopped

      authelia-database:
        container_name: authelia-database
        hostname: authelia-database
        image: docker.io/library/postgres:${databaseVersion}
        user: '1000:1000'
        networks:
          authelia:
            ipv4_address: 10.89.251.252
        environment:
          POSTGRES_DB: ${config.sops.placeholder."authelia/db_name"}
          POSTGRES_USER: ${config.sops.placeholder."authelia/db_username"}
          POSTGRES_PASSWORD: ${config.sops.placeholder."authelia/db_password"}
          POSTGRES_INITDB_ARGS: '--data-checksums'
        volumes:
          - ${cfg.configDir}/database:/var/lib/postgresql/data
        shm_size: 128mb
        healthcheck:
          disable: false
        security_opt:
          - no-new-privileges:true
        cap_drop:
          - NET_RAW
        restart: unless-stopped

    networks:
      authelia:
        driver: bridge
        name: authelia
        ipam:
          config:
            - subnet: "10.89.251.0/24"
              gateway: "10.89.251.254"
  '';

  extraConfig = {
    sops.templates."authelia-config" = {
      gid = "100";
      uid = "100999";
      mode = "0400";
      content = ''
        authelia:
          identity_validation:
            reset_password:
              jwt_secret: "${config.sops.placeholder."authelia/jwt_secret"}"
              jwt_lifespan: "5 minutes"
              jwt_algorithm: "HS256"
          storage:
            encryption_key: "${config.sops.placeholder."authelia/storage_secret"}"
            postgres:
              address: "tcp://authelia-database:5432"
              database: "${config.sops.placeholder."authelia/db_name"}"
              username: "${config.sops.placeholder."authelia/db_username"}"
              password: "${config.sops.placeholder."authelia/db_password"}"
          session:
            secret: "${config.sops.placeholder."authelia/session_secret"}"
            cookies:
              - domain: "${config.numbus-server.services.domain}"
                authelia_url: "https://${cfg.subdomain}.${config.numbus-server.services.domain}"
                ${optionalString (defaultRedirectionUrl != null) "default_redirection_url: \"${defaultRedirectionUrl}\""}
          authentication_backend:
            ldap:
              implementation: "lldap"
              address: "ldap://host.containers.internal:3890"
              base_dn: "${baseDN}"
              user: "UID=authelia,OU=people,${baseDN}"
              password: "${config.sops.placeholder."lldap/"}"
          notifier:
            smtp:
              address: submission://${config.numbus-server.mail.smtpHost}:${config.numbus-server.mail.smtpPort}
              username: ${config.numbus-server.mail.smtpUsername}
              password: ${config.sops.placeholder.smtpPassword}
              sender: ${config.numbus-server.mail.fromAddress}
              tls:
                server_name: ${config.numbus-server.mail.smtpHost}
                minimum_version: TLS1.2
                skip_verify: false
          access_control:
            default_policy: 'deny'
            rules:
              - domain: "*.${config.numbus-server.service.domain}"
                policy: two_factor
                subject: "group:admin"
        ${allGroupRules}
      '';
      path = "/etc/authelia/authelia.yaml";
    };
  };
}