{ config, pkgs, lib, ... }:

with lib;

let
  # Container config
  name = "passbolt";
  # Version tagging
  passboltVersion = "5.9.0-1-ce-non-root";
  databaseVersion = "12.2";
  # Storage optimization
  spindown = config.numbus-server.hardware.HddSpindown;
  optimizedDir = if spindown.enable && (spindown.optimize == "compatible" || (isList spindown.optimize && elem name spindown.optimize))
    then cfg.configDir
    else cfg.dataDir;
  # Helper
  helper = import ../service-helper.nix { inherit config pkgs lib; };
  cfg = config.numbus-server.services.passbolt;
in

helper.mkPodmanService {
  inherit name;
  description = "Passbolt, your password manager";
  defaultPort = "4433";
  scheme = "https";
  dataDirEnabled = false;
  middlewares = [ "secureHeaders" ];
  dirPermissions = [
    "100032:100 ${cfg.configDir}"
    "100032:100 ${cfg.configDir}/gpg"
    "100032:100 ${cfg.configDir}/jwt"
    "100999:100 ${cfg.configDir}/database"
  ];
  secrets = [
    "passbolt/db_name"
    "passbolt/db_username"
    "passbolt/db_password"
  ];

# Compose file good
  composeText = ''
    services:
      passbolt-server:
        image: docker.io/passbolt/passbolt:${passboltVersion}
        container_name: passbolt-server
        hostname: passbolt-server
        user: '33:33'
        networks:
          passbolt:
        ports:
          - "${cfg.port}:4433/tcp"
        volumes:
          - ${cfg.configDir}/gpg:/etc/passbolt/gpg
          - ${cfg.configDir}/jwt:/etc/passbolt/jwt
        environment:
          APP_DEFAULT_TIMEZONE: ${config.time.timeZone}
          APP_FULL_BASE_URL: https://${cfg.subdomain}.${config.numbus-server.services.domain}
          DATASOURCES_DEFAULT_HOST: "passbolt-database"
          DATASOURCES_DEFAULT_USERNAME: ${config.sops.placeholder."passbolt/db_username"}
          DATASOURCES_DEFAULT_PASSWORD: ${config.sops.placeholder."passbolt/db_password"}
          DATASOURCES_DEFAULT_DATABASE: ${config.sops.placeholder."passbolt/db_name"}
          EMAIL_DEFAULT_FROM_NAME: "Passbolt"
          EMAIL_TRANSPORT_DEFAULT_HOST: ${config.numbus-server.mail.smtpServer}
          EMAIL_TRANSPORT_DEFAULT_PORT: ${toString config.numbus-server.mail.smtpPort}
          EMAIL_TRANSPORT_DEFAULT_USERNAME: ${config.numbus-server.mail.smtpUsername}
          EMAIL_TRANSPORT_DEFAULT_PASSWORD: ${config.sops.placeholder."mail/smtpPassword"}
          EMAIL_TRANSPORT_DEFAULT_TLS: true
          EMAIL_DEFAULT_FROM: passbolt-noreply@${config.numbus-server.services.domain}
          PASSBOLT_SSL_FORCE: true
        command:
          [
            "/usr/bin/wait-for.sh",
            "-t",
            "0",
            "passbolt-database:3306",
            "--",
            "/docker-entrypoint.sh"
          ]
        depends_on:
          - passbolt-database
        security_opt:
          - no-new-privileges:true
        cap_drop:
          - NET_RAW
        restart: unless-stopped

      passbolt-database:
        image: docker.io/library/mariadb:${databaseVersion}
        container_name: passbolt-database
        hostname: passbolt-database
        user: '1000:1000'
        networks:
          passbolt:
        volumes:
          - ${cfg.configDir}/database:/var/lib/mysql
        environment:
          MYSQL_RANDOM_ROOT_PASSWORD: "true"
          MYSQL_DATABASE: ${config.sops."passbolt/db_name"}
          MYSQL_USER: ${config.sops."passbolt/db_username"}
          MYSQL_PASSWORD: ${config.sops."passbolt/db_password"}
        security_opt:
          - no-new-privileges:true
        cap_drop:
          - NET_RAW
        restart: unless-stopped

    networks:
      passbolt:
        name: passbolt
        driver: bridge
  '';
}