{ config, lib, pkgs, homeyConfig, ... }:

# phpLDAPadmin — web UI for OpenLDAP management.
#
# Stateless container (no persistent volumes needed).
# Protected by Authelia two_factor, admins-only policy (defined in authelia.nix).
# Bound to localhost:8081; Caddy reverse-proxies it.
#
# Networking: uses default bridge (podman) network with a port mapping
# 127.0.0.1:8081->80 so Caddy can reach it.  OpenLDAP runs on the host
# network at 127.0.0.1:389; the container reaches it via the special
# host.containers.internal DNS name that podman injects automatically.

let
  cfg = config.homey.phpldapadmin;
in
{
  options.homey.phpldapadmin = {
    enable = lib.mkEnableOption "phpLDAPadmin web interface";

    image = lib.mkOption {
      type    = lib.types.str;
      default = "docker.io/osixia/phpldapadmin:latest";
    };

    port = lib.mkOption {
      type    = lib.types.port;
      default = 8081;
      description = "Host port phpLDAPadmin listens on (bound to 127.0.0.1).";
    };
  };

  config = lib.mkIf cfg.enable {
    virtualisation.oci-containers.containers.phpldapadmin = {
      image = cfg.image;

      environment = {
        PHPLDAPADMIN_HTTPS      = "false";
        # host.containers.internal resolves to the host from inside a podman
        # bridge container — reaches openldap which is on --network=host at :389
        PHPLDAPADMIN_LDAP_HOSTS = "host.containers.internal";
      };

      # Bridge network (default) + port mapping: Apache binds inside the
      # container on :80, podman maps it to 127.0.0.1:8081 on the host.
      ports = [ "127.0.0.1:${toString cfg.port}:80" ];
    };

    systemd.services."podman-phpldapadmin" = {
      after = lib.mkAfter [ "podman-openldap.service" ];
      wants = lib.mkAfter [ "podman-openldap.service" ];
    };
  };
}