{ config, pkgs, lib, ... }:

with lib;

let
  # Version tagging
  homeAssistantVersion = "2026.2.3";
  mqttVersion = "2.1-alpine";
  # Helper
  helper = import ./lib.nix { inherit config pkgs lib; };
  cfg = config.numbus.services.home-assistant;
  # Container config
  name = "home-assistant";
in

helper.mkPodmanService {
  inherit name;
  description = "Home Assistant, libre house control and much more";
  defaultPort = "8123";
  dataDirEnabled = false;
  generatedSecrets = {
    HOME_ASSISTANT_MQTT_USER = "xkcdpass -n 2 -d -";
    HOME_ASSISTANT_MQTT_PASSWORD = "xkcdpass -n 8 -d -";
  };
  dirPermissions = [
    "1000:100 ${cfg.configDir}"
    "1000:100 ${cfg.configDir}/config"
    "100999:100 ${cfg.configDir}/mqtt"
  ];
  middlewares = [ "secureHeaders" ];

# Compose file good
  composeText = ''
    services:
      home-assistant:
        image: ghcr.io/home-assistant/home-assistant:${homeAssistantVersion}
        container_name: home-assistant
        hostname: home-assistant
        networks:
          home-assistant:
        ports:
          - "${cfg.port}:8123/tcp"
        volumes:
          - ${cfg.configDir}/config:/config
          - /etc/localtime:/etc/localtime:ro
          - /run/dbus:/run/dbus:ro
    ${lib.optionalString (cfg.devices != []) ''
          devices:
    ${lib.concatStringsSep "\n" (map (d: "            - \"${d}\"") cfg.devices)}
    ''}
        security_opt:
          - no-new-privileges:true
        cap_drop:
          - NET_RAW
        restart: unless-stopped
      home-assistant-mqtt:
        image: docker.io/library/eclipse-mosquitto:${mqttVersion}
        container_name: home-assistant-mqtt
        hostname: home-assistant-mqtt
        user: '1000:1000'
        networks:
          home-assistant:
        volumes:
          - ${cfg.configDir}/mqtt:/mosquitto
        security_opt:
          - no-new-privileges:true
        cap_drop:
          - NET_RAW
        restart: unless-stopped
    networks:
      home-assistant:
        name: home-assistant
        driver: bridge
  '';

  extraOptions = {
    devices = mkOption {
      type = types.listOf types.str;
      default = [];
      example = [ "/dev/serial/by-id/Sonoff_Zigbee_3.0-id-port0:/dev/ttyUSB0" ];
      description = "List of devices to map into the container. /dev/ttyUSB0 is used for Zigbee dongles";
    };
  };

  extraConfig = {
    systemd.services."${name}-quirk-1" = {
      description = "Podman container quirk 1 : ${name}";
      wantedBy = [ "multi-user.target" ];
      after = [ "${name}.service" ];
      onFailure = [ "service-failure-notify@%n.service" ];
      startLimitBurst = 5;
      startLimitIntervalSec = 600;
      path = [ pkgs.coreutils pkgs.systemd ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
      };
      script = ''
        mkdir -p /var/lib/numbus-server/${name}
        if [[ -e ${cfg.configDir}/config/configuration.yaml ]]; then
          if grep -qF "${config.numbus.networking.ipAddress}/24" ${cfg.configDir}/config/configuration.yaml; then
            exit 0
          elif grep -qF "use_x_forwarded_for" ${cfg.configDir}/config/configuration.yaml && ! grep -qF "${config.numbus.networking.ipAddress}/24" ${cfg.configDir}/config/configuration.yaml
            tmp=$(mktemp)
            head -n -4 ${cfg.configDir}/config/configuration.yaml > "$tmp"
            mv "$tmp" ${cfg.configDir}/config/configuration.yaml
          fi
        fi

        until [[ -e ${cfg.configDir}/config/configuration.yaml ]]; do
          sleep 15
        done
        cat << 'EOF' >> ${cfg.configDir}/config/configuration.yaml

http:
  use_x_forwarded_for: true
  trusted_proxies: ${config.numbus.networking.ipAddress}/24

zha:
EOF
        systemctl restart ${name}.service
      '';
    };
  };

    systemd.services."${name}-quirk-2" = {
      description = "Podman container quirk 2 : ${name}";
      wantedBy = [ "multi-user.target" "${name}.service" ];
      after = [ "${name}-secrets.service" ];
      before = [ "${name}.service" "${name}-permissions.service" ];
      onFailure = [ "service-failure-notify@%n.service" ];
      startLimitBurst = 5;
      startLimitIntervalSec = 600;
      path = [ pkgs.coreutils pkgs.mosquitto ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
      };
      script = ''
        if [[ -e ${cfg.configDir}/mqtt/mosquitto.conf && ${cfg.configDir}/mqtt/password.txt ]]; then
          if grep -qF "listener 1883" ${cfg.configDir}/mqtt/mosquitto.conf; then
            exit 0
          else
            rm ${cfg.configDir}/mqtt/mosquitto.conf
            rm ${cfg.configDir}/mqtt/password.txt
            touch ${cfg.configDir}/mqtt/mosquitto.conf
            touch ${cfg.configDir}/mqtt/password.txt
          fi
        fi

        cat << EOF >> ${cfg.configDir}/mqtt/mosquitto.conf
persistence true
persistence_location /mosquitto/data/
log_dest file /mosquitto/log/mosquitto.log
listener 1883
## Authentication ##
allow_anonymous false
password_file /mosquitto/password.txt
EOF
        source /var/lib/numbus-server/${name}/.env
        mosquitto_passwd -b ${cfg.configDir}/mqtt/password.txt "$HOME_ASSISTANT_MQTT_USER" "$HOME_ASSISTANT_MQTT_PASSWORD"
        chmod 600 ${cfg.configDir}/mqtt/password.txt
      '';
    };
}