{ pkgs, lib, ... }:
let
  releaseVersion = app: (if builtins.pathExists "/mnt/data/guidelines.json" then (builtins.fromJSON (builtins.readFile "/mnt/data/guidelines.json")).${app} else "latest");
in
{
  virtualisation = {
    podman = {
      enable = true;
      dockerCompat = true;
    };

    oci-containers = {
      backend = "podman";
    };

    oci-containers.containers."api" = {
      image = "registry.gitlab.com/infektweb/glv5/api:${releaseVersion "api"}";
      ports = [
        "8001:8080"
      ];
      extraOptions = [
        "--add-host=host:10.0.1.51"
      ];
      environment = {
        "PORT" = "8080";
        "BASE_CLIENT_URL" = "http://[space].guidelines.ch";
        "ENVIRONMENT" = (builtins.readFile /opt/cloud-init-misc-data/environment);
        "VAULT_SECRET_PATH" = "kv/data/guidelines/${(builtins.readFile /opt/cloud-init-misc-data/environment)}/api";
        "VAULT_URL" = "http://host:8200";
      };
      volumes = [
        "/mnt/data/vault-guidelines-api-token:/vault-token"
      ];
    };

    oci-containers.containers."web" = {
      image = "registry.gitlab.com/infektweb/glv5/web:${releaseVersion "web"}";
      ports = [
        "80:8080"
      ];
      extraOptions = [
        "--add-host=host:10.0.1.51"
      ];
      environment = {
        "API_URL" = "http://host:8001";
        "PORT" = "8080";
        "CLIENT_URL" = "https://guidelines.ch";
        "REDIS_URL" = "redis://host:6379";

        "AUTH0_AUDIENCE" = "";
        "AUTH0_CLIENT_ID" = "";
        "AUTH0_CLIENT_SECRET" = "";
        "AUTH0_DOMAIN" = "";
        "CHALLENGE_CONTENT" = "";
        "CHALLENGE_ID" = "";

      };
    };

    oci-containers.containers."deploymentagent" = {
      image = "registry.gitlab.com/infektweb/glv5/hetzner-cloud-environment/deploymentagent:poc-integration";
      ports = [
        "5000:5000"
      ];
      extraOptions = [
        "--add-host=host:10.0.1.51"
      ];
      environment = {
        "VAULT_SECRET_PATH" = "kv/data/guidelines/${(builtins.readFile /opt/cloud-init-misc-data/environment)}/deploymentagent";
        "VAULT_URL" = "http://host:8200";
        "NIXOS_REBUILD_SOCKET_URL" = "host:4444";
        "DEPLOYMENT_STATE_FILE" = "/guidelines.json";
      };
      volumes = [
        "/mnt/data/vault-deploymentagent-token:/vault-token"
        "/run/podman-containers.sock:/tmp/podman/podman.sock"
        "/mnt/data/guidelines.json:/guidelines.json"
      ];
    };

    # oci-containers.containers."html2pdf" = {
    # };

    # oci-containers.containers."filestore" = {
    # };

  };

  systemd.services.docker-podman-rest-api = {
    serviceConfig.Type = "simple";
    serviceConfig.Restart = lib.mkForce "always";
    wantedBy = [ "multi-user.target" ];
    script = ''
           /run/current-system/sw/bin/podman system service --time=0 unix:///run/podman-containers.sock
    '';
  };

  system.activationScripts = {
    guidelinesJson = {
      text = "test -f /mnt/data/guidelines.json || cp /opt/cloud-init-misc-data/guidelines.json /mnt/data/guidelines.json";
      deps = [];
    };
  };

  services.redis = {
    enable = true;
    bind = "10.0.1.51";
    vmOverCommit = true;
    extraConfig = ''
      protected-mode no
    '';
  };
  systemd.services.redis.serviceConfig = {
    ReadWriteDirectories = "/var/lib/redis";
    TimeoutStartSec = "60";
    TimeoutStopSec = "60";
  };

  networking.firewall.allowedTCPPorts = [ 6379 5000 4444 ];
}