{ config, ... }:

{
  virtualisation.oci-containers.containers.pocketid = {
    image = "ghcr.io/pocket-id/pocket-id";
    volumes = [ "/var/lib/pocketid/data:/app/backend/data" ];
    ports = [ "8025:8025" ];
    environment = {
      PUBLIC_APP_URL = "https://auth.${config.homelab.domain}";
      TRUST_PROXY = "true";
      CADDY_PORT = "8025";

      PUID = "1000";
      GUID = "1000";
    };
  };

  services.caddy.virtualHosts."auth.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:8025
      import block_non_private_ips
    '';
  };
}