{ config, ... }:
let 
  inherit (import ./lib.nix config) mkContainer blazestar;
  userIds = import ./user-ids.nix;
in
{
  users.groups.pocket-id = {
    gid = userIds.pocket-id.gid;
  };

  users.users.pocket-id = {
    uid = userIds.pocket-id.uid;
    isSystemUser = true;
    description = "System User for Pocket ID";
    group = "pocket-id";
  };

  virtualisation.oci-containers.containers.pocket-id = mkContainer {
    image = "ghcr.io/pocket-id/pocket-id";
    dependsOn = [];
    hostName = "auth";
    port = 3000;
    public = false;
    domain = blazestar;
    homepageOpts = {
      group = "Infra";
      name = "Pocket ID";
      icon = "pocket-id";
      description = "Pocket ID Auth Server";
    };
    volumes = [
      "/tank/pocket-id/data:/app/backend/data"
    ];
    environment = {
      PUBLIC_APP_URL = "https://auth.${blazestar}";
      # Whether the app is behind a reverse proxy.
      TRUST_PROXY = "true";
      PUID = toString userIds.pocket-id.uid;
      PGID = toString userIds.pocket-id.gid;
    };
  };
}