{ config, pkgs, lib, ... }:

let
  domain = "a11ywatch.cloonar.com";
  confDir = "/var/lib/a11ywatch";

  json = pkgs.formats.json { };
in {
  # 1) Enable Podman (daemonless, drop-in for docker)
  virtualisation.podman.enable = true;                             # :contentReference[oaicite:0]{index=0}
  virtualisation.podman.dockerCompat = true;                       # :contentReference[oaicite:1]{index=1}
  virtualisation.podman.defaultNetwork.settings.dns_enabled = true;# :contentReference[oaicite:2]{index=2}

  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://localhost:3000/";
    };
  };

  environment.etc."containers/networks/a11ywatch-net.json" = {
    source = json.generate "a11ywatch-net.json" ({
      name = "a11ywatch-net";
      id = "ccb4b7fb90d2df26db27ef0995765b04f52d318db752c9474b470c5ef4d7978d";
      driver = "bridge";
      network_interface = "podman1";
      subnets = [
        {
          subnet = "10.89.0.0/24";
          gateway = "10.89.0.1";
        }
      ];
      ipv6_enabled = false;
      internal = false;
      dns_enabled = true;
      ipam_options = {
        driver = "host-local";
      };
    });
  };

  users.users.a11ywatch = {
    isSystemUser = true;
    group = "a11ywatch";
    home = "/var/lib/a11ywatch";
    createHome = true;
  };
  users.groups.a11ywatch = { };
  users.groups.docker.members = [ "a11ywatch" ];

  # 2) Create the bridge network on boot via a oneshot systemd service
  systemd.services.a11ywatch-net = {
    description = "Ensure a11ywatch-net Podman network exists";
    wants      = [ "podman.service" ];
    after      = [ "podman.service" ];
    serviceConfig = {
      Type             = "oneshot";
      ExecStart        = ''
        ${pkgs.podman}/bin/podman network inspect a11ywatch-net >/dev/null 2>&1 \
          || ${pkgs.podman}/bin/podman network create a11ywatch-net
      '';
      RemainAfterExit  = true;
    };
    wantedBy = [
      "multi-user.target"
    ];
  };

  # 3) Declare your two containers using the podman backend
  virtualisation.oci-containers = {
    backend = "podman";  # :contentReference[oaicite:3]{index=3}
    containers = {
      a11ywatch-backend = {
        image       = "docker.io/a11ywatch/a11ywatch:latest";
        autoStart   = true;
        ports       = [ "3280:3280" ];
        volumes  = [ "${confDir}:/a11ywatch/conf" ];
        environment = { SUPER_MODE = "true"; };
        extraOptions = [ "--network=a11ywatch-net" ];
      };
      a11ywatch-frontend = {
        image       = "docker.io/a11ywatch/web:latest";
        autoStart   = true;
        ports       = [ "3000:3000" ];
        volumes  = [ "${confDir}:/a11ywatch/conf" ];
        environment = { SUPER_MODE = "true"; };
        extraOptions = [ 
          "--network=a11ywatch-net"
        ];
      };
    };
  };
}