{ config, pkgs, lib, ... }:

{
  # Create static user instead of using DynamicUser
  users.users.n8n = {
    isSystemUser = true;
    group = "n8n";
    home = "/var/lib/n8n";
  };
  users.groups.n8n = {};

  # PostgreSQL database setup
  services.postgresql = {
    enable = true;
    ensureDatabases = [ "n8n" ];
    ensureUsers = [{
      name = "n8n";
    }];
  };

  # n8n service configuration
  services.n8n = {
    enable = true;
    settings = {
      database.type = "postgresdb";
      database.postgresdb.host = "/run/postgresql";
      database.postgresdb.database = "n8n";
      database.postgresdb.user = "n8n";
      executions.pruneData = true;
      executions.pruneDataMaxAge = 168; # 7 days
    };
  };

  # Configure git integration via environment variables
  systemd.services.n8n = {
    environment = lib.mkForce {
      N8N_ENCRYPTION_KEY = ""; # Will be set via environmentFile
      N8N_VERSION_NOTIFICATIONS_ENABLED = "false";
      N8N_DIAGNOSTICS_ENABLED = "false";
      N8N_PERSONALIZATION_ENABLED = "false";
      WEBHOOK_URL = "https://n8n.cloonar.com";
      N8N_HOST = "n8n.cloonar.com";
      N8N_PROTOCOL = "https";
      N8N_PORT = "5678";
    };
    serviceConfig = {
      DynamicUser = lib.mkForce false;
      User = "n8n";
      Group = "n8n";
      EnvironmentFile = config.sops.secrets.n8n-env.path;
    };
    preStart = lib.mkAfter ''
      # Setup git SSH key if provided
      if [ -n "$N8N_GIT_SSH_KEY_PATH" ] && [ -f "$N8N_GIT_SSH_KEY_PATH" ]; then
        mkdir -p /var/lib/n8n/.ssh
        chmod 700 /var/lib/n8n/.ssh
        cp "$N8N_GIT_SSH_KEY_PATH" /var/lib/n8n/.ssh/id_ed25519
        chmod 600 /var/lib/n8n/.ssh/id_ed25519
        chown -R n8n:n8n /var/lib/n8n/.ssh
      fi
    '';
  };

  # SOPS secrets (managed within the web microvm)
  sops.secrets.n8n-env = {
    owner = "n8n";
    mode = "0400";
  };
  sops.secrets.n8n-git-key = {
    owner = "n8n";
    mode = "0400";
  };

  # PostgreSQL backup
  services.postgresqlBackup.enable = true;
  services.postgresqlBackup.databases = [ "n8n" ];

  # Nginx reverse proxy
  services.nginx.virtualHosts."n8n.cloonar.com" = {
    forceSSL = true;
    enableACME = true;
    acmeRoot = null;

    # Restrict to internal LAN only
    extraConfig = ''
      allow ${config.networkPrefix}.96.0/24;
      allow ${config.networkPrefix}.98.0/24;
      deny all;
    '';

    locations."/" = {
      proxyPass = "http://127.0.0.1:5678";
      proxyWebsockets = true;
    };
  };
}