{ config, lib, pkgs, homeyConfig, ... }:

# phpLDAPadmin — web UI for OpenLDAP management.
#
# Stateless container (no persistent volumes needed).
# Protected by Authelia two_factor, admins-only policy (defined in authelia.nix).
# Bound to localhost:8081; Caddy reverse-proxies it.

let
  cfg = config.homey.phpldapadmin;
in
{
  options.homey.phpldapadmin = {
    enable = lib.mkEnableOption "phpLDAPadmin web interface";

    image = lib.mkOption {
      type    = lib.types.str;
      default = "docker.io/osixia/phpldapadmin:latest";
    };

    port = lib.mkOption {
      type    = lib.types.port;
      default = 8081;
      description = "Host port phpLDAPadmin listens on (bound to 127.0.0.1).";
    };
  };

  config = lib.mkIf cfg.enable {
    virtualisation.oci-containers.containers.phpldapadmin = {
      image = cfg.image;
      ports = [ "127.0.0.1:${toString cfg.port}:80" ];

      environment = {
        PHPLDAPADMIN_HTTPS       = "false";
        PHPLDAPADMIN_LDAP_HOSTS  = "127.0.0.1";  # openldap on host network
      };

      extraOptions = [ "--network=host" ];
    };

    systemd.services."podman-phpldapadmin" = {
      after = lib.mkAfter [ "podman-openldap.service" ];
      wants = lib.mkAfter [ "podman-openldap.service" ];
    };
  };
}