{ config, ... }:
let 
  inherit (import ./lib.nix config) mkContainer blazestar;
  userIds = import ./user-ids.nix;
  # The default is to run on port 80, which the pocket-id user cannot bind to.
  # We need a different port to be able to serve traffic.
  # The following ports in the container are already taken:
  # - 8080: API
  # - 3000: Web UI
  # - 2019: Admin endpoint
  port = 8888;
in
{
  users.groups.pocket-id = {
    gid = userIds.pocket-id.gid;
  };

  users.users.pocket-id = {
    uid = userIds.pocket-id.uid;
    isSystemUser = true;
    description = "System User for Pocket ID";
    group = "pocket-id";
  };

  virtualisation.oci-containers.containers.pocket-id = mkContainer {
    image = "ghcr.io/pocket-id/pocket-id";
    dependsOn = [];
    hostName = "auth";
    port = port;
    public = false;
    domain = blazestar;
    homepageOpts = {
      group = "Infra";
      name = "Pocket ID";
      icon = "pocket-id";
      description = "Pocket ID Auth Server";
    };
    volumes = [
      "/tank/pocket-id/data:/app/backend/data"
    ];
    environment = {
      PUBLIC_APP_URL = "https://auth.${blazestar}";
      # Whether the app is behind a reverse proxy.
      TRUST_PROXY = "false";
      CADDY_PORT = toString port;
      # PORT = "3000"; # Frontend port
      # BACKEND_PORT = "8080"; # Backend port
      PUID = toString userIds.pocket-id.uid;
      PGID = toString userIds.pocket-id.gid;
    };
  };
}