{ config, lib, pkgs, homeyConfig, ... }:

# phpLDAPadmin — web UI for OpenLDAP management.
#
# Stateless container (no persistent volumes needed).
# Protected by Authelia two_factor, admins-only policy (defined in authelia.nix).
# Bound to localhost:8081; Caddy reverse-proxies it.
#
# Networking: uses default bridge (podman) network with a port mapping
# 127.0.0.1:8081->80 so Caddy can reach it.  OpenLDAP runs on the host
# network at 127.0.0.1:389; the container reaches it via the special
# host.containers.internal DNS name that podman injects automatically.

let
  cfg = config.homey.phpldapadmin;
in
{
  options.homey.phpldapadmin = {
    enable = lib.mkEnableOption "phpLDAPadmin web interface";

    image = lib.mkOption {
      type    = lib.types.str;
      default = "docker.io/osixia/phpldapadmin:latest";
    };

    port = lib.mkOption {
      type    = lib.types.port;
      default = 8081;
      description = "Host port phpLDAPadmin listens on (bound to 127.0.0.1).";
    };
  };

  config = lib.mkIf cfg.enable {
    virtualisation.oci-containers.containers.phpldapadmin = {
      image = cfg.image;

      environment = {
        PHPLDAPADMIN_HTTPS      = "false";
        # "openldap" resolves to the OpenLDAP container via homey network DNS.
        PHPLDAPADMIN_LDAP_HOSTS = "openldap";
      };

      ports = [ "127.0.0.1:${toString cfg.port}:80" ];

      extraOptions = [ "--network=homey" ];
    };

    systemd.services."podman-phpldapadmin" = {
      after = lib.mkAfter [ "podman-openldap.service" "podman-homey-network.service" ];
      wants = lib.mkAfter [ "podman-openldap.service" "podman-homey-network.service" ];
    };

    # -----------------------------------------------------------------------
    # Uptime Kuma monitor for this service
    # -----------------------------------------------------------------------
    homey.monitoring.monitors = [{
      name     = "phpLDAPadmin";
      url      = "http://localhost:${toString cfg.port}";
      interval = 60;
    }];
  };
}