{ config, lib, pkgs, homeyConfig, ... }:

# phpLDAPadmin — web UI for OpenLDAP management.
#
# Stateless container (no persistent volumes needed).
# Protected by Authelia two_factor, admins-only policy.
# Bound to localhost:8081; Caddy reverse-proxies it.
#
# Networking: uses default bridge (podman) network with a port mapping
# 127.0.0.1:8081->80 so Caddy can reach it.  OpenLDAP runs on the host
# network at 127.0.0.1:389; the container reaches it via the special
# host.containers.internal DNS name that podman injects automatically.

let
  cfg    = config.homey.phpldapadmin;
  domain = homeyConfig.domain;
in
{
  options.homey.phpldapadmin = {
    enable = lib.mkEnableOption "phpLDAPadmin web interface" // { default = true; };

    image = lib.mkOption {
      type    = lib.types.str;
      default = "docker.io/osixia/phpldapadmin:latest";
    };

    port = lib.mkOption {
      type    = lib.types.port;
      default = 8081;
      description = "Host port phpLDAPadmin listens on (bound to 127.0.0.1).";
    };
  };

  config = lib.mkIf cfg.enable {
    virtualisation.oci-containers.containers.phpldapadmin = {
      image = cfg.image;

      environment = {
        PHPLDAPADMIN_HTTPS      = "false";
        # "openldap" resolves to the OpenLDAP container via homey network DNS.
        PHPLDAPADMIN_LDAP_HOSTS = "openldap";
      };

      ports = [ "127.0.0.1:${toString cfg.port}:80" ];

      extraOptions = [ "--network=homey" ];
    };

    systemd.services."podman-phpldapadmin" = {
      after = lib.mkAfter [ "podman-openldap.service" "podman-homey-network.service" ];
      wants = lib.mkAfter [ "podman-openldap.service" "podman-homey-network.service" ];
    };

    # -----------------------------------------------------------------------
    # Authelia access control — admins only, two_factor; all others denied.
    # -----------------------------------------------------------------------
    homey.authelia.accessControlRules = [
      { priority = 20; domain = [ "ldapadmin.${domain}" ]; subject = [ "group:admins" ]; policy = "two_factor"; }
      { priority = 21; domain = [ "ldapadmin.${domain}" ]; policy = "deny"; }
    ];

    # -----------------------------------------------------------------------
    # Caddy virtual host — forward_auth + reverse_proxy
    # -----------------------------------------------------------------------
    homey.caddy.virtualHosts = [{
      subdomain = "ldapadmin";
      port      = cfg.port;
      auth      = true;
    }];

    # phpLDAPadmin is stateless (no persistent volumes) — no storage or backup entries needed.

    # -----------------------------------------------------------------------
    # Uptime Kuma monitor for this service
    # -----------------------------------------------------------------------
    homey.monitoring.monitors = [{
      name     = "phpLDAPadmin";
      url      = "http://phpldapadmin:80";
      interval = 60;
    }];
  };
}