{ config, pkgs, lib, ... }:

with lib;

let
  # Container config
  name = "n8n";
  # Version tagging
  n8nVersion = "2.11.4";
  # Storage optimization
  spindown = config.numbus-server.hardware.HddSpindown;
  optimizedDir = if spindown.enable && (spindown.optimize == "compatible" || (isList spindown.optimize && elem name spindown.optimize))
    then cfg.configDir
    else cfg.dataDir;
  # Helper
  helper = import ../service-helper.nix { inherit config pkgs lib; };
  cfg = config.numbus-server.services.n8n;
in

helper.mkPodmanService {
  inherit name;
  pod = "false";
  description = "n8n, the ultimate automation platform";
  defaultPort = "5678";
  scheme = "https";
  middlewares = [
    "secureHeaders"
  ];
  dirPermissions = [
    "100999:100 ${optimizedDir}"
  ];

  composeText = ''
    services:
      n8n:
        image: docker.n8n.io/n8nio/n8n:${n8nVersion}
        container_name: n8n
        hostname: n8n
        user: '1000:1000'
        networks:
          n8n:
            ipv4_address: 10.89.180.253
        ports:
          - "${cfg.port}:5678"
        volumes:
          - ${optimizedDir}:/home/node/.n8n
        environment:
          - N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS=true
          - N8N_HOST=${cfg.subdomain}.${config.numbus-server.services.domain}
          - N8N_PORT=5678
          - N8N_PROTOCOL=https
          - N8N_RUNNERS_ENABLED=true
          - NODE_ENV=production
          - WEBHOOK_URL=https://${cfg.subdomain}.${config.numbus-server.services.domain}/
          - GENERIC_TIMEZONE=${time.timeZone}
          - TZ=${time.timeZone}
        security_opt:
          - no-new-privileges:true
        cap_drop:
          - NET_RAW
        restart: unless-stopped

    networks:
      n8n:
        driver: bridge
        name: n8n
        ipam:
          config:
            - subnet: "10.89.180.0/24"
              gateway: "10.89.180.254"
  '';
}