{ config, pkgs, ... }:

let
  container_name = "pihole";
  compose-dir = "docker-compose/pihole";
  config-dir = "/mnt/config-storage/docker-data/pihole";
in

{
  config = {
    environment.etc."${compose-dir}/compose.yaml".text =
      /*
      yaml
      */
      ''
        services:
          pihole:
            image: pihole/pihole:latest
            container_name: pihole
            networks:
              pihole:
            ports:
              # DNS Ports
              - "53:53/tcp"
              - "53:53/udp"
            environment:
              TZ: $TZ
              FTLCONF_webserver_api_password: $FTLCONF_webserver_api_password
              FTLCONF_dns_listeningMode: all
              FTLCONF_dns_revServers: true,$HOME_ROUTER_SUBNET,$HOME_ROUTER_IP,home
              FTLCONF_dns_domain_name: home
              FTLCONF_dns_domain_local: true
              FTLCONF_dns_hosts: |
                $HOME_SERVER_IP dns.$DOMAIN_NAME
                $HOME_SERVER_IP reverse.$DOMAIN_NAME
                $HOME_SERVER_IP nextcloud.$DOMAIN_NAME
                $HOME_SERVER_IP nextcloud-aio.$DOMAIN_NAME
                $HOME_SERVER_IP hass.$DOMAIN_NAME
                $HOME_SERVER_IP passbolt.$DOMAIN_NAME
              FTLCONF_dhcp_active: false
              FTLCONF_dns_upstreams: 9.9.9.11;149.112.112.11
              PIHOLE_UID: 1000
              PIHOLE_GID: 1000
            volumes:
              - ${config-dir}/config:/etc/pihole
            cap_add:
              - SYS_TIME
              - SYS_NICE
            labels:
              - traefik.enable=true
              - traefik.http.services.pihole.loadbalancer.server.port=443
              - traefik.http.services.pihole.loadbalancer.server.scheme=https
              - traefik.http.routers.pihole-https.entrypoints=websecure
              - traefik.http.routers.pihole-https.rule=Host(`dns.$DOMAIN_NAME`)
              - traefik.http.routers.pihole-https.tls=true
              - traefik.http.routers.pihole-https.tls.certresolver=cloudflare
            restart: unless-stopped

        networks:
          pihole:
            external: true
      '';

    systemd.services.pihole = {
      description = "Docker container : ${container_name}";
      after = [ "network.target" "docker.service" "docker.socket" "traefik.service" ];
      requires = [ "docker.service" ];
      wantedBy = ["multi-user.target"];
      path = [ pkgs.docker ];

      serviceConfig = {
        Type = "exec";
        # Pull the latest image before running
        ExecStartPre = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml pull";
        # Bring the service up
        ExecStart = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml up --remove-orphans";
        # Take it down gracefully
        ExecStop = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml down";

        Restart = "on-failure";
      };
    };
  };
}