{ config, pkgs, lib, ... }:

with lib;

let
  # Version tagging
  passboltVersion = "5.9.0-1-ce-non-root";
  databaseVersion = "12.2";
  # Helper
  helper = import ./lib.nix { inherit config pkgs lib; };
  cfg = config.numbus.services.passbolt;
  # Container config
  name = "passbolt";
in

helper.mkPodmanService {
  inherit name;
  description = "Passbolt, your password manager";
  defaultPort = "4433";
  scheme = "https";
  dataDirEnabled = false;
  generatedSecrets = {
    DB_NAME = "xkcdpass -n 2 -d -";
    DB_USERNAME = "xkcdpass -n 2 -d -";
    DB_PASSWORD = "xkcdpass -n 10 -d -";
    SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}";
  };
  middlewares = [ "secureHeaders" ];
  dirPermissions = [
    "100032:100 ${cfg.configDir}"
    "100032:100 ${cfg.configDir}/gpg"
    "100032:100 ${cfg.configDir}/jwt"
    "100999:100 ${cfg.configDir}/database"
  ];

# Compose file good
  composeText = ''
    services:
      passbolt-server:
        image: docker.io/passbolt/passbolt:${passboltVersion}
        container_name: passbolt-server
        hostname: passbolt-server
        user: '33:33'
        networks:
          passbolt:
        ports:
          - "${cfg.port}:4433/tcp"
        volumes:
          - ${cfg.configDir}/gpg:/etc/passbolt/gpg
          - ${cfg.configDir}/jwt:/etc/passbolt/jwt
        environment:
          APP_DEFAULT_TIMEZONE: ${config.time.timeZone}
          APP_FULL_BASE_URL: https://${cfg.subdomain}.${config.numbus.services.domain}
          DATASOURCES_DEFAULT_HOST: "passbolt-database"
          DATASOURCES_DEFAULT_USERNAME: $DB_USERNAME
          DATASOURCES_DEFAULT_PASSWORD: $DB_PASSWORD
          DATASOURCES_DEFAULT_DATABASE: $DB_NAME
          EMAIL_DEFAULT_FROM_NAME: "Passbolt"
          EMAIL_TRANSPORT_DEFAULT_HOST: ${config.numbus.mail.smtpServer}
          EMAIL_TRANSPORT_DEFAULT_PORT: ${toString config.numbus.mail.smtpPort}
          EMAIL_TRANSPORT_DEFAULT_USERNAME: ${config.numbus.mail.smtpUsername}
          EMAIL_TRANSPORT_DEFAULT_PASSWORD: $EMAIL_TRANSPORT_DEFAULT_PASSWORD
          EMAIL_TRANSPORT_DEFAULT_TLS: true
          EMAIL_DEFAULT_FROM: passbolt-noreply@${config.numbus.services.domain}
          PASSBOLT_SSL_FORCE: true
        command:
          [
            "/usr/bin/wait-for.sh",
            "-t",
            "0",
            "passbolt-database:3306",
            "--",
            "/docker-entrypoint.sh"
          ]
        depends_on:
          - passbolt-database
        security_opt:
          - no-new-privileges:true
        cap_drop:
          - NET_RAW
        restart: unless-stopped
      passbolt-database:
        image: docker.io/library/mariadb:${databaseVersion}
        container_name: passbolt-database
        hostname: passbolt-database
        user: '1000:1000'
        networks:
          passbolt:
        volumes:
          - ${cfg.configDir}/database:/var/lib/mysql
        environment:
          MYSQL_RANDOM_ROOT_PASSWORD: "true"
          MYSQL_DATABASE: $DB_NAME
          MYSQL_USER: $DB_USERNAME
          MYSQL_PASSWORD: $DB_PASSWORD
        security_opt:
          - no-new-privileges:true
        cap_drop:
          - NET_RAW
        restart: unless-stopped
    networks:
      passbolt:
        name: passbolt
        driver: bridge
  '';
}