{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.settings.containers.paperless-ngx;
in {
  options = {
    settings.containers.paperless-ngx.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Enable Paperless NGX container
      '';
    };
  };

  config = mkIf cfg.enable {
    settings.services.sops.enable = true;
  
    services.podman.containers.paperless-ngx = {
      image = "ghcr.io/paperless-ngx/paperless-ngx:latest";
      network = "proxy";
      volumes = [
        "%h/containers/paperless-ngx/data:/usr/src/paperless/data" 
        "%h/containers/paperless-ngx/media:/usr/src/paperless/media" 
        "%h/containers/paperless-ngx/export:/usr/src/paperless/export" 
        "%h/containers/paperless-ngx/consume:/usr/src/paperless/consume" 

        "${config.sops.secrets."containers/paperless-ngx/db-password".path}:/run/secrets/db-password" 
        "${config.sops.secrets."containers/paperless-ngx/secret".path}:/run/secrets/secret" 
        "${config.sops.secrets."containers/paperless-ngx/openid-providers".path}:/run/secrets/openid-providers" 
      ];
      environment = {
        PAPERLESS_REDIS = "redis://paperless-ngx-broker:6379";
        PAPERLESS_DBHOST = "paperless-ngx-db";
        PAPERLESS_URL = "https://paperless.local.tbmrs.nl";
        PAPERLESS_DBPASS_FILE = "/run/secrets/db-password";
        PAPERLESS_SECRET_KEY_FILE = "/run/secrets/secret";

        PAPERLESS_DISABLE_REGULAR_LOGIN = false;
        PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
        PAPERLESS_SOCIALACCOUNT_PROVIDERS_FILE = "/run/secrets/openid-providers";
        PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS = true;
      };
      extraConfig = {
        Unit = {
          After = [
            "sops-nix.service"
            "podman-paperless-ngx-db.service"
            "podman-paperless-ngx-broker.service"
          ];
          Requires = [
            "podman-paperless-ngx-db.service"
            "podman-paperless-ngx-broker.service"
          ];
        };
      };
    };

    services.podman.containers.paperless-ngx-db = {
      image = "docker.io/library/postgres:17";
      network = "proxy";
      volumes = [
        "%h/containers/paperless-ngx/db-data:/var/lib/postgresql/data" 

        "${config.sops.secrets."containers/paperless-ngx/db-password".path}:/run/secrets/db-password" 
      ];
      environment = {
        POSTGRES_DB = "paperless";
        POSTGRES_USER = "paperless";
        POSTGRES_PASSWORD_FILE = "/run/secrets/db-password";
      };
      extraConfig = {
        Unit = {
          After = [
            "sops-nix.service"
          ];
        };
      };
    };

    services.podman.containers.paperless-ngx-broker = {
      image = "docker.io/library/redis:7";
      network = "proxy";
      volumes = [
        "%h/containers/paperless-ngx/redis-data:/data" 
      ];
    };

    settings.containers.caddy.routes.tbmrs-local.routes = [{
      name = "paperless-ngx";
      host = "paperless";
      url = "paperless-ngx:8000"; 
    }];

    sops.secrets = {
      "containers/paperless-ngx/db-password" = { };
      "containers/paperless-ngx/secret" = { };
      "containers/paperless-ngx/openid-providers" = { };
    };
  };
}