{ config, ... }:

{
  virtualisation.oci-containers.containers.linkding = {
    image = "sissbruecker/linkding:latest";
    ports = [ "9090:9090" ];
    volumes = [ "/var/lib/linkding/data:/data" ];
    environmentFiles = [
      # create superuser account before initially signing in
      # https://linkding.link/options/#oidc-and-ld_superuser_name
      # include following environment variables:
      #   OIDC_RP_CLIENT_SECRET - set to oidc client secret
      /var/lib/linkding/oidc

    ];
    environment = {
      # Can be used to run linkding under a context path, for example: linkding/
      # Must end with a slash `/`
      "LD_CONTEXT_PATH"="";
      # Username of the initial superuser to create, leave empty to not create one
      "LD_SUPERUSER_NAME"="";
      # Option to disable background tasks
      "LD_DISABLE_BACKGROUND_TASKS"="False";
      # Option to disable URL validation for bookmarks completely
      "LD_DISABLE_URL_VALIDATION"="False";
      # List of trusted origins from which to accept POST requests
      # See docs/Options.md for more details
      "LD_CSRF_TRUSTED_ORIGINS"="";

      # OIDC
      "LD_ENABLE_OIDC" = "True";
      "OIDC_OP_AUTHORIZATION_ENDPOINT"="https://${config.homelab.authDomain}/ui/oauth2";
      "OIDC_OP_TOKEN_ENDPOINT"="https://${config.homelab.authDomain}/oauth2/token";
      "OIDC_OP_USER_ENDPOINT"="https://${config.homelab.authDomain}/oauth2/openid/linkding/userinfo";
      "OIDC_OP_JWKS_ENDPOINT"="https://${config.homelab.authDomain}/oauth2/openid/linkding/public_key.jwk";
      "OIDC_RP_SIGN_ALGO"="ES256";
      "OIDC_RP_CLIENT_ID"="linkding";

      # Database settings
      # These are currently only required for configuring PostreSQL.
      # By default, linkding uses SQLite for which you don't need to configure anything.

      # Database engine, can be sqlite (default) or postgres
      "LD_DB_ENGINE"="sqlite";
      # Database name (default: linkding)
      "LD_DB_DATABASE"="";
      # Username to connect to the database server  (default: linkding)
      "LD_DB_USER"="";
      # Password to connect to the database server
      "LD_DB_PASSWORD"="";
    };
  };

  services.caddy.virtualHosts."bookmark.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:9090
      import block_non_private_ips
    '';
  };
}