{ config, containerCfg, pkgs, lib, builder, name, ... }:
let 
  version = "latest";
  serverCfg = config.syscfg.server;
  
in {
  vm = {
    portForward = [ 8123 ];
    cfg = {cfg,...}:{ 
      services.home-assistant = {
        enable = true;
        openFirewall = true;
        
        extraComponents = [
          "matter" "thread" "cast" "zha"
          "default_config" "met" "esphome" "radio_browser"
          "telegram_bot" "swiss_public_transport" "nextcloud" "jellyfin" 
        ]  ++ (if containerCfg.extra ? components then containerCfg.extra.components else []);
        

        extraPackages = pp: with pp; [
            python-telegram gtts
        ];
        lovelaceConfig = {};

        config = {
          homeassistant = {
            name = "Home";
            latitude = "${if containerCfg.extra ? latitude then toString containerCfg.extra.latitude else toString 0}";
            longitude = "${if containerCfg.extra ? longitude then toString containerCfg.extra.longitude else toString 0}";
            elevation = "${if containerCfg.extra ? elevation then toString containerCfg.extra.elevation else toString 0}";
            unit_system = "metric";
            time_zone = config.time.timeZone;
          };
          lovelace = { mode = "yaml"; };
          customLovelaceModules = [];
          
          # default_config = {};
          http = {
            use_x_forwarded_for = true;
            trusted_proxies = [ "10.0.0.0/8" "127.0.0.1" ];
          };
        };
      };
    };
  };

  containers = {
    dummy = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      image = "alpine:latest";
      extraLabels = {
        "traefik.http.services.${containerCfg.subdomain}.loadbalancer.server.url" = "http://${builder.hostIp}:8123";
      };
      overrides = {cmd = [ "sleep" "infinity" ];};
    };
  };

  setup = {
    trigger = "dummy";
    envFile = config.sops.secrets."CUSTOM".path;
    script = pkgs.writeShellScript "setup" ''

    HASS_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
    until [[ "$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$HASS_URL/manifest.json")" =~ (200|301|302) ]]; do
      sleep 5
    done
    sleep 5

    ONBOARDING_STATUS=$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$HASS_URL/api/onboarding" 2>/dev/null || echo "000")

    if [ "$ONBOARDING_STATUS" = "200" ]; then
      AUTH_CODE=$( ${pkgs.curl}/bin/curl -s -X POST "$HASS_URL/api/onboarding/users" \
        -H "Content-Type: application/json" \
        -d '{"client_id":"'"$HASS_URL"'","name":"'"$DEFAULT_ADMIN_USERNAME"'","username":"'"$DEFAULT_ADMIN_USERNAME"'","password":"'"$DEFAULT_ADMIN_PASSWORD"'","language":"en"}' \
        | ${pkgs.jq}/bin/jq -r '.auth_code' )

      ACCESS_TOKEN=$(${pkgs.curl}/bin/curl -s -X POST "$HASS_URL/auth/token" \
          -H "Content-Type: application/x-www-form-urlencoded" \
          -d "grant_type=authorization_code&code=$AUTH_CODE&client_id=$HASS_URL" \
      | ${pkgs.jq}/bin/jq -r '.access_token' )    

      ${pkgs.curl} -s -X POST "$HASS_URL/api/onboarding/core_config" \
          -H "Authorization: Bearer $ACCESS_TOKEN" \
          -H "Content-Type: application/json" \
          -d '{"time_zone":"${config.time.timeZone}"}' > /dev/null 2>&1 || true
      # We can configure many more things above !

      ${pkgs.curl} -s -X POST "$HASS_URL/api/onboarding/analytics" \
          -H "Authorization: Bearer $ACCESS_TOKEN" \
          -H "Content-Type: application/json" -d '{}' > /dev/null 2>&1 || true

      ${pkgs.curl} -s -X POST "$HA_URL/api/onboarding/integration" \
          -H "Authorization: Bearer $ACCESS_TOKEN" \
          -H "Content-Type: application/json" \
          -d '{"client_id":"'"$HASS_URL"'","redirect_uri":"'"$HASS_URL"'/?auth_callback=1"}' > /dev/null 2>&1 || true
    fi
    '';
  };

}