{% from "macros/nginx.conf.jinja" import nginx_conf %}
{% set tpl = ix_lib.base.render.Render(values) %}

{% set c1 = tpl.add_container(values.consts.collabora_container_name, "image") %}
{% set nginx = namespace(x=None) %}

{% if values.network.certificate_id %}
  {% set nginx.x = tpl.add_container(values.consts.nginx_container_name, "nginx_image") %}
  {% do nginx.x.depends.add_dependency(values.consts.collabora_container_name, "service_healthy") %}
  {% do nginx.x.add_caps(["CHOWN", "FOWNER", "DAC_OVERRIDE", "SETGID", "SETUID"]) %}
  {% do nginx.x.healthcheck.set_test("curl", {"port": values.network.web_port.port_number, "path": "/robots.txt", "scheme": "https"}) %}
  {% do nginx.x.add_port(values.network.web_port) %}

  {% set cert = values.ix_certificates[values.network.certificate_id] %}
  {% do nginx.x.configs.add("private", cert.privatekey, values.consts.nginx_ssl_key_path) %}
  {% do nginx.x.configs.add("public", cert.certificate, values.consts.nginx_ssl_cert_path) %}

  {% do nginx.x.configs.add("nginx.conf", nginx_conf(values), "/etc/nginx/nginx.conf") %}

  {% do nginx.x.add_storage("/var/cache/nginx", {"type": "anonymous"}) %}
  {% do nginx.x.add_storage("/var/run", {"type": "anonymous"}) %}
{% else %}
  {% do c1.add_port(values.network.web_port, {"container_port": values.consts.internal_collabora_web_port}) %}
{% endif %}

{% do c1.remove_security_opt("no-new-privileges") %}
{% do c1.add_caps(caps=["CHOWN", "FOWNER", "DAC_OVERRIDE", "SETGID", "SETUID", "SETFCAP", "SYS_CHROOT", "MKNOD"]) %}
{% do c1.healthcheck.set_test("http", {"port": values.consts.internal_collabora_web_port})%}

{% do c1.environment.add_env("timezone", values.TZ) %}
{% do c1.environment.add_env("aliasgroup1", values.collabora.aliasgroup1|join(",")) %}
{% do c1.environment.add_env("dictionaries", values.collabora.dictionaries|join(" ")) %}
{% do c1.environment.add_env("extra_params", values.collabora.extra_params|join(" ")) %}
{% do c1.environment.add_env("DONT_GEN_SSL_CERT", true) %}
{% set domain = values.collabora.server_name if ":" in values.collabora.server_name else "%s:%d"|format(values.collabora.server_name, values.network.web_port.port_number) %}
{% do c1.environment.add_env("server_name", domain.split(":443")[0].split(":80")[0]) %}
{% if values.collabora.enable_webui %}
  {% do c1.environment.add_env("username", values.collabora.username) %}
  {% do c1.environment.add_env("password", values.collabora.password) %}
{% endif %}

{% do c1.environment.add_user_envs(values.collabora.additional_envs) %}

{% for store in values.storage.additional_storage %}
  {% do c1.add_storage(store.mount_path, store)%}
{% endfor %}

{% set proto = "https" if values.network.certificate_id else "http" %}
{% set path = "/browser/dist/admin/admin.html" if values.collabora.enable_webui else "/" %}
{% do tpl.portals.add(values.network.web_port, {"scheme": proto, "path": path}) %}

{{ tpl.render() | tojson }}