{ config, pkgs, lib, ... }:

with lib;
{
  # Moltbot - AI assistant with WebChat
  # Container with browser support for web automation

  virtualisation.oci-containers.backend = "podman";

  # Secret for gateway authentication token
  sops.secrets.moltbot-gateway-token = {
    key = "moltbot-gateway-token";
  };

  # Persistent directories on host for backup
  # UID 1000 is the 'node' user inside the container
  systemd.tmpfiles.rules = [
    "d /var/lib/moltbot 0755 1000 1000 - -"
    "d /var/lib/moltbot/home 0755 1000 1000 - -"
    "d /var/lib/moltbot/extensions 0755 1000 1000 - -"
    "d /run/moltbot 0700 root root - -"
  ];

  virtualisation.oci-containers.containers.moltbot = {
    image = "ghcr.io/moltbot/moltbot:main";

    # Run gateway mode, bind to all interfaces in container
    cmd = [ "dist/index.js" "gateway" "--bind" "lan" "--port" "18789" "--allow-unconfigured" ];

    ports = [
      "${config.networkPrefix}.97.1:18789:18789" # Gateway/WebChat
      "${config.networkPrefix}.97.1:18790:18790" # Bridge
    ];

    volumes = [
      "/var/lib/moltbot/home:/home/node:rw"
      "/var/lib/moltbot/extensions:/app/extensions:rw"
    ];

    environment = {
      HOME = "/home/node";
      TERM = "xterm-256color";
      MOLTBOT_STATE_DIR = "/home/node/.moltbot";
      CLAWDBOT_STATE_DIR = "/home/node/.moltbot";
      PUPPETEER_SKIP_CHROMIUM_DOWNLOAD = "false";
    };

    extraOptions = [
      "--pull=newer"
      "--network=server"
      "--ip=${config.networkPrefix}.97.60"
      "--init"
      # Chrome sandbox capabilities
      "--cap-add=SYS_ADMIN"
      "--security-opt=seccomp=unconfined"
    ];
  };
}