{ config, ... }:

{
  virtualisation.oci-containers.containers.karakeep = {
    image = "ghcr.io/karakeep-app/karakeep:release";
    volumes = [ "/var/lib/karakeep/data:/data" ];
    ports = [ "8023:3000" ];
    environment = {
      DATA_DIR = "/data"; # dont change

      OAUTH_WELLKNOWN_URL = "https://${config.homelab.authDomain}/oauth2/openid/karakeep/.well-known/openid-configuration";
      OAUTH_PROVIDER_NAME = "${config.homelab.domain}";
      NEXTAUTH_URL = "https://karakeep.${config.homelab.domain}";

      DISABLE_PASSWORD_AUTH	= "true";
      OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING = "true";
    };

    environmentFiles = [
      # put the environment variable NEXTAUTH_SECRET in here
      # with a randomly generated string. gen with `openssl rand -base64 36`
      /var/lib/karakeep/nextauth-secret

      # https://pocket-id.org/docs/client-examples/hoarder
      /var/lib/karakeep/oidc
    ];
  };
  
  services.caddy.virtualHosts."karakeep.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:8023
      import block_non_private_ips
    '';
  };
}