{ config, lib, pkgs, homeyConfig, ... }:

# Nextcloud + PostgreSQL.
#
# Two containers:
#   nextcloud-postgres  — PostgreSQL, bound to localhost:5432
#   nextcloud           — Nextcloud PHP-FPM + Apache, bound to localhost:8080
#
# Volume layout:
#   <dataDir>/nextcloud/db/    → /var/lib/postgresql/data  (postgres)
#   <dataDir>/nextcloud/html/  → /var/www/html              (nextcloud)
#
# Secrets consumed from sops:
#   nextcloud/admin_password
#   nextcloud/postgres_password

let
  cfg     = config.homey.nextcloud;
  dataDir = config.homey.storage.mountPoint;
  domain  = homeyConfig.domain;
in
{
  options.homey.nextcloud = {
    enable = lib.mkEnableOption "Nextcloud file server";

    image = lib.mkOption {
      type    = lib.types.str;
      default = "docker.io/nextcloud:latest";
    };

    postgresImage = lib.mkOption {
      type    = lib.types.str;
      default = "docker.io/postgres:16";
    };

    port = lib.mkOption {
      type    = lib.types.port;
      default = 8080;
      description = "Host port Nextcloud listens on (bound to 127.0.0.1).";
    };

    postgresPort = lib.mkOption {
      type    = lib.types.port;
      default = 5432;
      description = "Host port PostgreSQL listens on (bound to 127.0.0.1).";
    };
  };

  config = lib.mkIf cfg.enable {
    # -----------------------------------------------------------------------
    # Secrets
    # -----------------------------------------------------------------------
    sops.secrets."nextcloud/admin_password"    = { owner = "root"; };
    sops.secrets."nextcloud/postgres_password" = { owner = "root"; };

    # -----------------------------------------------------------------------
    # PostgreSQL container
    # -----------------------------------------------------------------------
    virtualisation.oci-containers.containers.nextcloud-postgres = {
      image = cfg.postgresImage;
      # No ports mapping — --network=host shares the host network stack directly.

      environment = {
        POSTGRES_DB   = "nextcloud_db";
        POSTGRES_USER = "postgres";
        # Password injected via env file
      };

      volumes = [
        "${dataDir}/nextcloud/db:/var/lib/postgresql/data"
      ];

      extraOptions = [
        "--network=host"
        "--env-file=/run/nc-postgres-secrets.env"
      ];
    };

    systemd.services."podman-nextcloud-postgres" = {
      serviceConfig = {
        LoadCredential = [
          "nextcloud_postgres_password:${config.sops.secrets."nextcloud/postgres_password".path}"
        ];
        ExecStartPre = [
          (pkgs.writeShellScript "nc-postgres-secrets-env" ''
            set -euo pipefail
            install -m 600 /dev/null /run/nc-postgres-secrets.env
            echo "POSTGRES_PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/nextcloud_postgres_password")" \
              >> /run/nc-postgres-secrets.env
          '')
        ];
      };
      postStop = "rm -f /run/nc-postgres-secrets.env";
      after    = lib.mkAfter  [ "mnt-data.mount" ];
      requires = lib.mkAfter  [ "mnt-data.mount" ];
    };

    # -----------------------------------------------------------------------
    # Nextcloud container
    # -----------------------------------------------------------------------
    virtualisation.oci-containers.containers.nextcloud = {
      image = cfg.image;
      # No ports mapping — --network=host shares the host network stack directly.

      environment = {
        POSTGRES_HOST             = "127.0.0.1";
        POSTGRES_DB               = "nextcloud_db";
        POSTGRES_USER             = "postgres";
        NEXTCLOUD_ADMIN_USER      = "admin";
        NEXTCLOUD_TRUSTED_DOMAINS = "nextcloud.${domain}";
        OVERWRITEPROTOCOL         = "https";
        OVERWRITECLIURL           = "https://nextcloud.${domain}";
        # With --network=host, port mappings are ignored and the container's
        # Apache binds directly on the host. Force it onto port 8080 so Caddy
        # can own 80/443.
        APACHE_HTTP_PORT_NUMBER   = toString cfg.port;
        # Passwords injected via env file
      };

      volumes = [
        "${dataDir}/nextcloud/html:/var/www/html"
      ];

      extraOptions = [
        "--network=host"
        "--env-file=/run/nc-secrets.env"
      ];
    };

    systemd.services."podman-nextcloud" = {
      serviceConfig = {
        LoadCredential = [
          "nextcloud_postgres_password:${config.sops.secrets."nextcloud/postgres_password".path}"
          "nextcloud_admin_password:${config.sops.secrets."nextcloud/admin_password".path}"
        ];
        ExecStartPre = [
          (pkgs.writeShellScript "nc-secrets-env" ''
            set -euo pipefail
            install -m 600 /dev/null /run/nc-secrets.env
            echo "POSTGRES_PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/nextcloud_postgres_password")"       >> /run/nc-secrets.env
            echo "NEXTCLOUD_ADMIN_PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/nextcloud_admin_password")"   >> /run/nc-secrets.env
          '')
        ];
      };
      postStop = "rm -f /run/nc-secrets.env";
      after    = lib.mkAfter  [ "mnt-data.mount" "podman-nextcloud-postgres.service" ];
      requires = lib.mkAfter  [ "mnt-data.mount" "podman-nextcloud-postgres.service" ];
    };
  };
}