{ config, pkgs, lib, ... }:

with lib;

let
  # Container config
  name = "home-assistant";
  # Version tagging
  homeAssistantVersion = "2026.2.3";
  mqttVersion = "2.1-alpine";
  # Helper
  helper = import ../service-helper.nix { inherit config pkgs lib; };
  cfg = config.numbus-server.services.home-assistant;
in

helper.mkPodmanService {
  inherit name;
  description = "Home Assistant, libre house control and much more";
  defaultPort = "8123";
  dataDirEnabled = false;
  middlewares = [
    "secureHeaders"
  ];
  dirPermissions = [
    "1000:100 ${cfg.configDir}"
    "1000:100 ${cfg.configDir}/config"
    "100999:100 ${cfg.configDir}/mqtt"
  ];
  secrets = [
    "home-assistant/mqtt_user"
    "home-assistant/mqtt_password"
  ];

# Compose file good
  composeText = ''
    services:
      home-assistant:
        image: ghcr.io/home-assistant/home-assistant:${homeAssistantVersion}
        container_name: home-assistant
        hostname: home-assistant
        networks:
          home-assistant:
            ipv4_address: 10.89.230.252
        ports:
          - "${cfg.port}:8123/tcp"
        volumes:
          - ${cfg.configDir}/config:/config
          - /etc/localtime:/etc/localtime:ro
          - /run/dbus:/run/dbus:ro
    ${lib.optionalString (cfg.devices != []) ''
          devices:
    ${lib.concatStringsSep "\n" (map (d: "            - \"${d}\"") cfg.devices)}
    ''}
        security_opt:
          - no-new-privileges:true
        cap_drop:
          - NET_RAW
        restart: unless-stopped

      home-assistant-mqtt:
        image: docker.io/library/eclipse-mosquitto:${mqttVersion}
        container_name: home-assistant-mqtt
        hostname: home-assistant-mqtt
        user: '1000:1000'
        networks:
          home-assistant:
            ipv4_address: 10.89.230.252
        volumes:
          - ${cfg.configDir}/mqtt:/mosquitto
        security_opt:
          - no-new-privileges:true
        cap_drop:
          - NET_RAW
        restart: unless-stopped

    networks:
      home-assistant:
        driver: bridge
        name: home-assistant
        ipam:
          config:
            - subnet: "10.89.230.0/24"
              gateway: "10.89.230.254"
  '';

  extraOptions = {
    devices = mkOption {
      type = types.listOf types.str;
      default = [];
      example = [ "/dev/serial/by-id/Sonoff_Zigbee_3.0-id-port0:/dev/ttyUSB0" ];
      description = "List of devices to map into the container. /dev/ttyUSB0 is used for Zigbee dongles";
    };
  };

  extraConfig = {
    systemd.services."${name}-quirk" = {
      description = "Podman container quirk : ${name}";
      after = [ "${name}.service" ];
      onFailure = [ "service-failure-notify@%n.service" ];
      startLimitBurst = 5;
      startLimitIntervalSec = 600;
      path = [ pkgs.coreutils pkgs.systemd ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
      };
      script = ''
        mkdir -p /var/lib/numbus-server/${name}
        if [[ -e ${cfg.configDir}/config/configuration.yaml ]]; then
          if grep -qF "10.89.230.1/32" ${cfg.configDir}/config/configuration.yaml; then
            exit 0
          elif grep -qF "use_x_forwarded_for" ${cfg.configDir}/config/configuration.yaml && ! grep -qF "10.89.230.1/32" ${cfg.configDir}/config/configuration.yaml; then
            tmp=$(mktemp)
            head -n -6 ${cfg.configDir}/config/configuration.yaml > "$tmp"
            mv "$tmp" ${cfg.configDir}/config/configuration.yaml
          fi
        fi

        until [[ -e ${cfg.configDir}/config/configuration.yaml ]]; do
          sleep 15
        done
        cat << 'EOF' >> ${cfg.configDir}/config/configuration.yaml

        http:
          use_x_forwarded_for: true
          trusted_proxies: 10.89.230.1

        zha:
        EOF

        systemctl restart ${name}.service
      '';
    };
  };

    systemd.services."mqtt-quirk" = {
      description = "Podman container quirk : Home-assistant MQTT";
      after = [ "sops-install-secrets.service" ];
      before = [ "${name}.service" ];
      onFailure = [ "service-failure-notify@%n.service" ];
      startLimitBurst = 5;
      startLimitIntervalSec = 600;
      path = [ pkgs.coreutils pkgs.mosquitto ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
      };
      script = ''
        if [[ -e ${cfg.configDir}/mqtt/mosquitto.conf && ${cfg.configDir}/mqtt/password.txt ]]; then
          if grep -qF "listener 1883" ${cfg.configDir}/mqtt/mosquitto.conf; then
            exit 0
          else
            rm ${cfg.configDir}/mqtt/mosquitto.conf
            rm ${cfg.configDir}/mqtt/password.txt
            touch ${cfg.configDir}/mqtt/mosquitto.conf
            touch ${cfg.configDir}/mqtt/password.txt
          fi
        fi

        cat << EOF >> ${cfg.configDir}/mqtt/mosquitto.conf
        persistence true
        persistence_location /mosquitto/data/
        log_dest file /mosquitto/log/mosquitto.log
        listener 1883
        ## Authentication ##
        allow_anonymous false
        password_file /mosquitto/password.txt
        EOF

        HOME_ASSISTANT_MQTT_USER=$(cat /run/secrets/home-assistant/mqtt_user)
        HOME_ASSISTANT_MQTT_PASSWORD=$(cat /run/secrets/home-assistant/mqtt_password)

        mosquitto_passwd -b ${cfg.configDir}/mqtt/password.txt "$HOME_ASSISTANT_MQTT_USER" "$HOME_ASSISTANT_MQTT_PASSWORD"
        chmod 0400 ${cfg.configDir}/mqtt/password.txt
      '';
    };
}