{ config, pkgs, lib, ... }:

with lib;

let
  helper = import ./lib.nix { inherit config pkgs lib; };
  cfg = config.numbus.services.passbolt;
in

helper.mkPodmanService {
  name = "passbolt";
  description = "Passbolt, your password manager";
  defaultPort = "4433";
  pod = "passbolt";
  scheme = "https";
  dependencies = [ "traefik.service" "${config.numbus.services.dns}.service" ];

  composeText = ''
    services:
      passbolt-server:
        image: docker.io/passbolt/passbolt:latest-ce-non-root
        container_name: passbolt-server
        hostname: passbolt-server
        networks:
          passbolt_frontend:
          passbolt_backend:
        ports:
          - "${cfg.port}:4433/tcp"
        volumes:
          - passbolt-gpg:/etc/passbolt/gpg
          - passbolt-jwt:/etc/passbolt/jwt
        environment:
          APP_DEFAULT_TIMEZONE: $TZ
          APP_FULL_BASE_URL: https://${cfg.subdomain}.${config.numbus.services.domain}
          DATASOURCES_DEFAULT_HOST: "passbolt-database"
          DATASOURCES_DEFAULT_USERNAME: $PASSBOLT_MYSQL_USER
          DATASOURCES_DEFAULT_PASSWORD: $PASSBOLT_MYSQL_PASSWORD
          DATASOURCES_DEFAULT_DATABASE: $PASSBOLT_MYSQL_DATABASE
          EMAIL_DEFAULT_FROM_NAME: "Passbolt"
          EMAIL_TRANSPORT_DEFAULT_HOST: $EMAIL_TRANSPORT_DEFAULT_HOST
          EMAIL_TRANSPORT_DEFAULT_PORT: $EMAIL_TRANSPORT_DEFAULT_PORT
          EMAIL_TRANSPORT_DEFAULT_USERNAME: $EMAIL_TRANSPORT_DEFAULT_USERNAME
          EMAIL_TRANSPORT_DEFAULT_PASSWORD: $EMAIL_TRANSPORT_DEFAULT_PASSWORD
          EMAIL_TRANSPORT_DEFAULT_TLS: true
          EMAIL_DEFAULT_FROM: $EMAIL_ADDRESS
          PASSBOLT_SSL_FORCE: true
        command:
          [
            "/usr/bin/wait-for.sh",
            "-t",
            "0",
            "passbolt-database:3306",
            "--",
            "/docker-entrypoint.sh",
          ]
        depends_on:
          - passbolt-database
        security_opt:
          - no-new-privileges:true
        cap_drop:
          - NET_RAW
        restart: unless-stopped

      passbolt-database:
        image: docker.io/library/mariadb:12.2
        container_name: passbolt-database
        hostname: passbolt-database
        networks:
          passbolt_backend:
        volumes:
          - passbolt-database:/var/lib/mysql
        environment:
          MYSQL_RANDOM_ROOT_PASSWORD: "true"
          MYSQL_DATABASE: $PASSBOLT_MYSQL_DATABASE
          MYSQL_USER: $PASSBOLT_MYSQL_USER
          MYSQL_PASSWORD: $PASSBOLT_MYSQL_PASSWORD
        security_opt:
          - no-new-privileges:true
        cap_drop:
          - NET_RAW
        restart: unless-stopped

    volumes:
      passbolt-database:
      passbolt-gpg:
      passbolt-jwt:

    networks:
      passbolt_frontend:
        name: passbolt_frontend
        driver: bridge
        ipam:
          config:
            - subnet: "10.89.12.0/24"
              gateway: "10.89.12.254"
      passbolt_backend:
        name: passbolt_backend
        driver: bridge
        ipam:
          config:
            - subnet: "10.89.13.0/24"
              gateway: "10.89.13.254"
  '';
}