{% set tpl = ix_lib.base.render.Render(values) %}

{% set c1 = tpl.add_container(values.consts.portainer_container_name, values.portainer.image_selector) %}
{% do c1.set_user(0, 0) %}
{% do c1.add_caps(["CHOWN", "DAC_OVERRIDE", "FOWNER", "KILL", "SETGID", "SETUID", "SETPCAP", "SETFCAP"]) %}
{% do c1.environment.add_user_envs(values.portainer.additional_envs) %}
{% do c1.healthcheck.disable() %}
{% set cmd = namespace(x=[
  "--data", values.consts.data_path,
  "--tunnel-port", tpl.funcs.or_default(values.network.tunnel_port.port_number, 0),
  "--bind-https", ":%d" | format(values.network.web_port.port_number),
  "--http-enabled" if values.network.http_port.bind_mode else "--http-disabled",
]) %}

{% if values.network.http_port.bind_mode %}
  {% do cmd.x.extend(["--bind", ":%d" | format(values.network.http_port.port_number)]) %}
{% endif %}

{% if values.network.certificate_id %}
  {% do cmd.x.extend([
    "--sslkey", values.consts.ssl_key_path,
    "--sslcert", values.consts.ssl_cert_path,
  ]) %}

  {% set cert = values.ix_certificates[values.network.certificate_id] %}
  {% do c1.configs.add("private", cert.privatekey, values.consts.ssl_key_path) %}
  {% do c1.configs.add("public", cert.certificate, values.consts.ssl_cert_path) %}
{% endif %}
{% do c1.set_command(cmd.x) %}

{% do c1.add_port(values.network.web_port) %}
{% do c1.add_port(values.network.tunnel_port) %}
{% do c1.add_port(values.network.http_port) %}

{% do c1.add_docker_socket(read_only=False) %}

{% do c1.add_storage(values.consts.data_path, values.storage.data) %}
{% for store in values.storage.additional_storage %}
  {% do c1.add_storage(store.mount_path, store) %}
{% endfor %}

{% do tpl.portals.add(values.network.http_port, {"name": "HTTP"}) %}
{% do tpl.portals.add(values.network.web_port, {"name": "HTTPS", "scheme": "https"}) %}

{{ tpl.render() | tojson }}