{ config, lib, ... }:

with lib;

let
  cfg = config.settings.containers.nginx;
in {
  options = {
    settings.containers.kanidm.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Enable kanidm container
      '';
    };
  };

  config = mkIf cfg.enable {
    services.podman.containers.kanidm = {
      image = "kanidm/server:latest";
      network = "proxy";
      networkAlias = [
        "auth.tbmrs.nl"
      ];
      volumes = [
        "%h/containers/kanidm/data:/data"
        "%h/containers/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.tbmrs.nl:/data/keys"
      ];
      environment = {
        KANIDM_VERSION = "2";
        KANIDM_BINDADDRESS = "[::]:8443";
        KANIDM_DB_PATH = "/data/kanidm.db";
        KANIDM_TLS_CHAIN = "/data/keys/wildcard_.tbmrs.nl.crt";
        KANIDM_TLS_KEY = "/data/keys/wildcard_.tbmrs.nl.key";
        KANIDM_DOMAIN = "auth.tbmrs.nl";
        KANIDM_ORIGIN = "https://auth.tbmrs.nl";
      };
    };
  };
}