{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.numbus.services.frigate;
  container_name = "frigate";
  compose_file = "podman/frigate/compose.yaml";
  config_dir = "/mnt/config/frigate";
  data_dir = "/mnt/data/frigate";
in
{
  options.numbus.services.frigate = {
    enable = mkEnableOption "Frigate NVR";

    domain = mkOption {
      type = types.str;
      description = "The root domain name (e.g., example.com). Frigate will use frigate.example.com";
    };

    mqtt = {
      user = mkOption {
        type = types.str;
        default = "frigate";
        description = "MQTT User for Frigate";
      };
      # In the future, we will handle passwords via sops-nix secrets
    };

    devices = mkOption {
      type = types.listOf types.str;
      default = [];
      example = [ "/dev/dri:/dev/dri" "/dev/bus/usb:/dev/bus/usb" ];
      description = "List of devices to map into the container";
    };
  };

  config = mkIf cfg.enable {
    environment.etc."${compose_file}".text =
      ''
        services:
          frigate:
            image: ghcr.io/blakeblackshear/frigate:stable
            container_name: frigate
            shm_size: "512MB"
            networks:
              home-assistant_frontend:
              home-assistant_backend:
            volumes:
              - ${config_dir}:/config
              - ${data_dir}/clips:/media/frigate/clips
              - ${data_dir}/recordings:/media/frigate/recordings
              - ${data_dir}/exports:/media/frigate/exports
              - /etc/localtime:/etc/localtime:ro
              - type: tmpfs
                target: /tmp/cache
                tmpfs:
                  size: 2000000000
            environment:
              FRIGATE_MQTT_USER: ${cfg.mqtt.user}
              # We will handle the password injection securely in the next phase
              FRIGATE_MQTT_PASSWORD: $FRIGATE_MQTT_PASSWORD
            devices:
              ${concatStringsSep "\n              " (map (d: "- ${d}") cfg.devices)}
            labels:
              - traefik.enable=true
              - traefik.docker.network=home-assistant_frontend
              - traefik.http.services.frigate.loadbalancer.server.port=8971
              - traefik.http.services.frigate.loadbalancer.server.scheme=http
              - traefik.http.routers.frigate-https.entrypoints=websecure
              - "traefik.http.routers.frigate-https.rule=Host(`frigate.${cfg.domain}`)"
              - traefik.http.routers.frigate-https.tls=true
              - traefik.http.routers.frigate-https.tls.certresolver=cloudflare
            restart: unless-stopped

        networks:
          home-assistant_backend:
            external: true
          home-assistant_frontend:
            external: true
      '';

    systemd.services."${container_name}" = {
      description = "Podman container : ${container_name}";
      after = [ "traefik.service" "home-assistant.service" "pi-hole.service" ];
      requires = [ "traefik.service" "home-assistant.service" ];
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.podman pkgs.podman-compose pkgs.coreutils ];
      serviceConfig = {
        User = "numbus-admin";
        Type = "exec";
        ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
        ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
      };
    };
  };
}