{% from "macros/health.java" import health_check %}

{% set tpl = ix_lib.base.render.Render(values) %}

{% set c1 = tpl.add_container(values.consts.keycloak_container_name, "image") %}
{% set perm_container = tpl.deps.perms(values.consts.perms_container_name) %}
{% set perms_config = {"uid": values.consts.run_as_user, "gid": values.consts.run_as_group, "mode": "check"} %}
{% set scheme = "https" if values.network.certificate_id else "http" %}

{% set pg_config = {
  "user": values.consts.db_user,
  "password": values.keycloak.db_password,
  "database": values.consts.db_name,
  "volume": values.storage.postgres_data,
} %}
{% set postgres = tpl.deps.postgres(values.consts.postgres_container_name, values.keycloak.postgres_image_selector, pg_config, perm_container) %}

{% do c1.set_user(values.consts.run_as_user, values.consts.run_as_group) %}
{% do c1.set_command(["start"]) %}
{% do c1.depends.add_dependency(values.consts.postgres_container_name, "service_healthy") %}
{% do c1.configs.add("healthcheck", health_check(scheme), "/health.java", "0755") %}
{% do c1.healthcheck.set_custom_test("java /health.java") %}

{% do c1.environment.add_env("KC_BOOTSTRAP_ADMIN_USERNAME", "temp-admin") %}
{% do c1.environment.add_env("KC_BOOTSTRAP_ADMIN_PASSWORD", "temp-admin") %}

{% do c1.environment.add_env("KC_DB", "postgres") %}
{% do c1.environment.add_env("KC_DB_URL_DATABASE", values.consts.db_name) %}
{% do c1.environment.add_env("KC_DB_URL_HOST", values.consts.postgres_container_name) %}
{% do c1.environment.add_env("KC_DB_URL_PORT", 5432) %}
{% do c1.environment.add_env("KC_DB_PASSWORD", values.keycloak.db_password) %}
{% do c1.environment.add_env("KC_DB_USERNAME", values.consts.db_user) %}
{% do c1.environment.add_env("KC_HEALTH_ENABLED", true) %}

{% do c1.environment.add_env("KC_HOSTNAME", values.keycloak.hostname) %}
{% do c1.environment.add_env("KC_HTTP_ENABLED", not values.network.certificate_id) %}
{% if values.network.certificate_id %}
  {% do c1.environment.add_env("KC_HTTPS_PORT", values.network.web_port.port_number) %}

  {% do c1.environment.add_env("KC_HTTPS_CERTIFICATE_FILE", values.consts.ssl_cert_path) %}
  {% do c1.environment.add_env("KC_HTTPS_CERTIFICATE_KEY_FILE", values.consts.ssl_key_path) %}
  {% do c1.configs.add("private", values.ix_certificates[values.network.certificate_id].privatekey, values.consts.ssl_key_path) %}
  {% do c1.configs.add("public", values.ix_certificates[values.network.certificate_id].certificate, values.consts.ssl_cert_path) %}
{% else %}
  {% do c1.environment.add_env("KC_HTTP_PORT", values.network.web_port.port_number) %}
{% endif %}

{% do c1.environment.add_user_envs(values.keycloak.additional_envs) %}

{% do c1.add_port(values.network.web_port) %}

{% for store in values.storage.additional_storage %}
  {% do c1.add_storage(store.mount_path, store) %}
  {% do perm_container.add_or_skip_action(store.mount_path, store, perms_config) %}
{% endfor %}

{% if perm_container.has_actions() %}
  {% do perm_container.activate() %}
  {% do c1.depends.add_dependency(values.consts.perms_container_name, "service_completed_successfully") %}
  {% do postgres.add_dependency(values.consts.perms_container_name, "service_completed_successfully") %}
{% endif %}

{% do tpl.portals.add(values.network.web_port, {"scheme": scheme}) %}

{{ tpl.render() | tojson }}