{ lib, config, ... }:
with lib;
let
  cfg = config.nas-apps.manyfold;
in
{
  imports = [ ./options.nix ];

  config = mkIf cfg.enable {
    virtualisation.oci-containers.containers."${cfg.name}" = {
      autoStart = cfg.autoStart;
      image = cfg.image;
      ports = [ "${cfg.httpPort}:3214" ];
      extraOptions = [
        "--cap-drop=ALL"
        "--cap-add=CHOWN"
        "--cap-add=DAC_OVERRIDE"
        "--cap-add=SETUID"
        "--cap-add=SETGID"
        "--security-opt=no-new-privileges:true"
      ];
      volumes = [
        "${cfg.configPath}:/config"
        "${cfg.dataPath}:/libraries"
      ];
      environment = {
        PUID = cfg.puid;
        PGID = cfg.pgid;
        TZ = cfg.timeZone;
      };
      environmentFiles = [ config.sops.secrets."jallen-nas/manyfold/secretkeybase".path ];
    };
  };
}