{ config, lib, pkgs, ... }:

let
  cfg = config.homelab.apps.freshrss;

  networkName = "freshrss";
in {
  options.homelab.apps.freshrss = {
    enable = lib.mkEnableOption "FreshRSS";
    port = lib.mkOption {
      type = lib.types.int;
      default = 9080;
      description = "FreshRSS WebUI port";
    };
  };

  config = let
    inherit (config.homelab.apps.freshrss) port;
  in
    lib.mkIf cfg.enable {
    homelab.virtualisation.containers.enable = true;

    fileSystems."/srv/freshrss" = {
      device = "192.168.0.11:/mnt/SMALL/CONFIG/FRESHRSS";
      fsType = "nfs";
      options = [
        "rw"
        "auto"
        "nfsvers=4.2"
        "async" "soft" "timeo=600"
        "retrans=2"
        "_netdev"
        "nosuid"
        "tcp"
      ];
    };

    systemd.services."docker-${networkName}-create-network" = {
      description = "Create Docker network for ${networkName}";
      requiredBy = [
        "docker-freshrss.service"
      ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
      };
      script = ''
        if ! ${pkgs.docker}/bin/docker network ls | grep -q ${networkName}; then
          ${pkgs.docker}/bin/docker network create ${networkName}
        fi
      '';
    };

    virtualisation.oci-containers.containers.freshrss = {
      hostname = "freshrss";
      image = "freshrss/freshrss:1.25.0";
      autoStart = true;
      user = "0:33";
      ports = [
        "${toString port}:80/tcp"
      ];
      extraOptions = [
        "--network=${networkName}"
      ];
      environment = {
        TZ = config.time.timeZone;
        CRON_MIN = "3,18,33,48"; # Alternatively, configure cron inside container.
        SERVER_DNS = "rss.depeuter.dev";
        TRUSTED_PROXY = "172.16.0.1/12 192.168.0.1/16";
      };
      volumes = [
        "/srv/freshrss/www/freshrss/data:/var/www/FreshRSS/data"
        "/srv/freshrss/www/freshrss/extensions:/var/www/FreshRSS/extensions"
      ];
      labels = {
        "traefik.enable" = "true";
      
        "traefik.http.middlewares.freshrssM1.compress" = "true";
        "traefik.http.middlewares.freshrssM2.headers.browserXssFilter" = "true";
        "traefik.http.middlewares.freshrssM2.headers.forceSTSHeader" = "true";
        "traefik.http.middlewares.freshrssM2.headers.frameDeny" = "true";
        "traefik.http.middlewares.freshrssM2.headers.referrerPolicy" = "no-referrer-when-downgrade";
        "traefik.http.middlewares.freshrssM2.headers.stsSeconds" = "31536000";
        "traefik.http.routers.freshrss.entryPoints" = "websecure";
        "traefik.http.routers.freshrss.tls" = "true";

        "traefik.http.services.freshrss.loadbalancer.server.port" = "80";
        "traefik.http.routers.freshrss.middlewares" = "freshrssM1,freshrssM2";
        "traefik.http.routers.freshrss.rule" = "Host(`rss.depeuter.dev`)";
      };
    };
  };
}