nix/modules/services/karakeep.nix

{
  lib,
  config,
  ...
}:
let
  cfg = config.my.services.karakeep;
in
{

  options.my.services.karakeep = {
    enable = lib.mkEnableOption "Karakeep (services.karakeep)";

    port = lib.mkOption {
      type = lib.types.port;
      default = 3000;
      description = ''
        HTTP port for the web service. Used for Caddy reverse_proxy and
        services.karakeep.extraEnvironment.PORT unless overridden there.
      '';
    };

    environmentFile = lib.mkOption {
      type = lib.types.nullOr lib.types.path;
      default = null;
      description = ''
        Optional environment file merged into Karakeep systemd units (e.g. agenix).
      '';
    };

    extraEnvironment = lib.mkOption {
      type = lib.types.attrsOf lib.types.str;
      default = { };
      description = ''
        Merged into services.karakeep.extraEnvironment. PORT defaults to
        my.services.karakeep.port but can be overridden here.
      '';
    };

    proxy = {
      enable = lib.mkEnableOption "Set the Caddy reverse proxy entry for this service";

      domain = lib.mkOption {
        default = "example.com";
        type = lib.types.str;
        description = ''
          The domain where Caddy is reachable
        '';
      };

      subdomain = lib.mkOption {
        default = "keep";
        type = lib.types.str;
        description = ''
          Subdomain for Karakeep
        '';
      };

      host = lib.mkOption {
        default = "localhost";
        type = lib.types.str;
        description = ''
          Hostname where Karakeep is listening
        '';
      };

    };
  };

  config = lib.mkMerge [
    (lib.mkIf cfg.enable {
      services.karakeep = {
        enable = true;
        browser.enable = true;
        meilisearch.enable = true;
        environmentFile = cfg.environmentFile;
        extraEnvironment = {
          PORT = toString cfg.port;
          DISABLE_NEW_RELEASE_CHECK = "true";
        }
        // cfg.extraEnvironment;
      };

      networking.firewall.allowedTCPPorts = [ cfg.port ];

    })

    (lib.mkIf cfg.proxy.enable {
      services.caddy = with cfg.proxy; {
        virtualHosts."${subdomain}.${domain}".extraConfig = ''
          reverse_proxy http://${host}:${toString cfg.port}
          import cloudflare_${domain}
        '';
      };
    })
  ];
}