{ pkgs, config, lib, ... }:

with lib;
let
  cfg = config.cloud.firezone;

  mkImage =
    { imageName, imageDigest, ... }: "${imageName}@${imageDigest}";
  # If we can pullImage we can just do
  # mkImage = pkgs.dockerTools.pullImage;

  images = {
    postgresql = mkImage {
      imageName = "postgres";
      finalImageTag = "15-alpine";
      imageDigest = "sha256:07ec36ad2d5ab9250f38c8ef749239b662cf15d03c9ddb7167422edbbdf71156";
    };
    firezone = mkImage {
      imageName = "firezone/firezone";
      finalImageTag = "latest";
      imageDigest = "sha256:76d869f322998432a09e3f3366f9f5908fe8b2f2968c80b4a60a1a78f879482f";
    };
  };
in
{
  options.cloud.firezone = {
    enable = mkEnableOption "Enable authentik OAuth server";
    envFile = mkOption {
      type = types.path;
      description = "Path to an environment file that is generated by bin/gen_env";
    };
    httpPort = mkOption {
      type = types.int;
      description = "Exposed HTTP port";
      default = 51880;
    };
    wireguardPort = mkOption {
      type = types.int;
      description = "Exposed Wireguard port";
      default = 51821;
    };
  };

  config = mkIf cfg.enable {
    systemd.services.arion-firezone.serviceConfig.EnvironmentFile = cfg.envFile;
    virtualisation.arion.projects.firezone.settings = {
      services.postgres.service = {
        image = images.postgresql;
        restart = "unless-stopped";
        healthcheck = {
          test = [ "CMD-SHELL" "pg_isready -d $\${POSTGRES_DB} -U $\${POSTGRES_USER}" ];
          start_period = "20s";
          interval = "30s";
          retries = 5;
          timeout = "5s";
        };
        volumes = [ "/var/lib/firezone/database:/var/lib/postgresql/data" ];
        environment = {
          POSTGRES_USER = "postgres";
          POSTGRES_DB = "firezone";
          POSTGRES_PASSWORD = "\${DATABASE_PASSWORD}";
        };
        networks = [ "firezone-network" ];
      };
      services.firezone.out.service.networks.firezone-network = {
        ipv4_address = "172.25.0.100";
        ipv6_address = "2001:3990:3990::99";
      };
      services.firezone.service = {
        image = images.firezone;
        restart = "unless-stopped";
        volumes = [ "/var/lib/firezone/data:/var/firezone" ];
        env_file = [ cfg.envFile ];
        ports = [
          "${toString cfg.httpPort}:13000"
          "${toString cfg.wireguardPort}:51820/udp"
        ];
        capabilities.NET_ADMIN = true;
        capabilities.SYS_MODULE = true;
        sysctls = {
          "net.ipv6.conf.all.disable_ipv6" = 0;
          "net.ipv4.ip_forward" = 1;
          "net.ipv6.conf.all.forwarding" = 1;
        };
        depends_on = [ "postgres" ];
      };
      networks.firezone-network = {
        enable_ipv6 = true;
        driver = "bridge";
        ipam.config = [
          { subnet = "172.25.0.0/16"; }
          { subnet = "2001:3990:3990::/64"; gateway = "2001:3990:3990::1"; }
        ];
      };
    };
  };
}