{ config, containerCfg, pkgs, lib, builder, name, ... }:
let 
  version = "latest";
  serverCfg = config.syscfg.server;
  
in {
  sops = true;
  db = false;
  
  paths = [{
    path = "${serverCfg.configPath}/homeassistant/";
    mode = "0755"; 
  }];

  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      image = "ghcr.io/home-assistant/home-assistant:${version}";
      port = 8123;
      secret = name;
      extraOptions = [
        "--network=host"         # Shares host IP: fixes timeouts & MDNS discovery
        "--cap-add=NET_ADMIN"    # Grants administrative network rights to fix DHCP packets
        "--cap-add=NET_RAW"      # Allows raw socket parsing needed for network sniffing
      ];
      overrides = {
        volumes = [
          "${serverCfg.configPath}/homeassistant/:/config"
          "/run/dbus:/run/dbus:ro"
        ];
      };
    };
  };

  setup = {
    trigger = "server";
    envFile = config.sops.secrets."CUSTOM".path;
    script = pkgs.writeShellScript "setup" ''

    HASS_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
    until [[ "$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$HASS_URL/manifest.json")" =~ (200|301|302) ]]; do
      sleep 5
    done
    sleep 5

    ONBOARDING_STATUS=$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$HASS_URL/api/onboarding" 2>/dev/null || echo "000")

    if [ "$ONBOARDING_STATUS" = "200" ]; then
      AUTH_CODE=$( ${pkgs.curl}/bin/curl -s -X POST "$HASS_URL/api/onboarding/users" \
        -H "Content-Type: application/json" \
        -d '{"client_id":"'"$HASS_URL"'","name":"'"$DEFAULT_ADMIN_USERNAME"'","username":"'"$DEFAULT_ADMIN_USERNAME"'","password":"'"$DEFAULT_ADMIN_PASSWORD"'","language":"en"}' \
        | ${pkgs.jq}/bin/jq -r '.auth_code' )

      ACCESS_TOKEN=$(${pkgs.curl}/bin/curl -s -X POST "$HASS_URL/auth/token" \
          -H "Content-Type: application/x-www-form-urlencoded" \
          -d "grant_type=authorization_code&code=$AUTH_CODE&client_id=$HASS_URL" \
      | ${pkgs.jq}/bin/jq -r '.access_token' )    

      ${pkgs.curl} -s -X POST "$HASS_URL/api/onboarding/core_config" \
          -H "Authorization: Bearer $ACCESS_TOKEN" \
          -H "Content-Type: application/json" \
          -d '{"time_zone":"${config.time.timeZone}"}' > /dev/null 2>&1 || true

      ${pkgs.curl} -s -X POST "$HASS_URL/api/onboarding/analytics" \
          -H "Authorization: Bearer $ACCESS_TOKEN" \
          -H "Content-Type: application/json" -d '{}' > /dev/null 2>&1 || true

      ${pkgs.curl} -s -X POST "$HA_URL/api/onboarding/integration" \
          -H "Authorization: Bearer $ACCESS_TOKEN" \
          -H "Content-Type: application/json" \
          -d '{"client_id":"'"$HASS_URL"'","redirect_uri":"'"$HASS_URL"'/?auth_callback=1"}' > /dev/null 2>&1 || true

    fi
    '';
  };

}