# Based on https://github.com/MbinOrg/mbin/blob/main/compose.yaml

variable "mbin_env" {
  type = list(string)

  default = [
    # From https://github.com/MbinOrg/mbin/blob/main/.env.example_docker
    # Docker specific variables
    "MBIN_USER=1000:1000",
    # Possible values: debug, info, notice, warning, error, critical, alert, emergency
    "PHP_LOG_LEVEL=error",
    # Mbin variables
    "SERVER_NAME=\"mbin.rescla.me, php:80\"",
    "KBIN_DOMAIN=mbin.rescla.me",
    "KBIN_TITLE=Mbin",
    "KBIN_DEFAULT_LANG=en",
    "KBIN_FEDERATION_ENABLED=true",
    "KBIN_CONTACT_EMAIL=contact@mbin.rescla.me",
    "KBIN_SENDER_EMAIL=noreply@mbin..rescla.me",
    "KBIN_JS_ENABLED=true",
    "KBIN_REGISTRATIONS_ENABLED=true",
    "KBIN_API_ITEMS_PER_PAGE=25",
    "KBIN_STORAGE_URL=https://mbin.rescla.me/media",
    "KBIN_META_TITLE=\"Mbin\"",
    "KBIN_META_DESCRIPTION=\"content aggregator, content voting, discussion and micro-blogging platform on the fediverse\"",
    "KBIN_META_KEYWORDS=\"mbin, content aggregator, open source, fediverse\"",
    "KBIN_HEADER_LOGO=false",
    "KBIN_FEDERATION_PAGE_ENABLED=true",
    "MBIN_DEFAULT_THEME=default",
    # Set the max image file size (in bytes)
    # This should be set to <= `upload_max_filesize` and `post_max_size` in the server's php.ini file
    "MBIN_MAX_IMAGE_BYTES=6000000",
    # Change the down vote behaviour. Possible values are:
    # 'enabled' => default mode downvotes are enabled
    # 'hidden' => downvotes are counted and users can downvote, but the number is hidden
    # 'disabled' => downvotes are ignored and the downvote button is hidden. They also do not count in the sorting
    "MBIN_DOWNVOTES_MODE=enabled",
    # Only let admins generated oauth clients
    "KBIN_ADMIN_ONLY_OAUTH_CLIENTS=false",
    # Manually approve every new user
    "MBIN_NEW_USERS_NEED_APPROVAL=false",
    # Use an allowlist instead of a ban list
    "MBIN_USE_FEDERATION_ALLOW_LIST=false",
    # Show only local users in the active users section
    "MBIN_SIDEBAR_SECTIONS_RANDOM_LOCAL_ONLY=false",
    # Show only local users in the active users section
    "MBIN_SIDEBAR_SECTIONS_USERS_LOCAL_ONLY=false",
    # Captcha (also enable in admin panel/settings)
    "KBIN_CAPTCHA_ENABLED=false",

    ###> meteo-concept/hcaptcha-bundle ###
    "HCAPTCHA_SITE_KEY=",
    "HCAPTCHA_SECRET=",
    ###< meteo-concept/hcaptcha-bundle ###

    # If you are running Mbin behind a reverse proxy, uncomment the line below and adjust the proxy address/range below
    # to your server's IP address if it does not already fall within the private IP spaces specified.
    #TRUSTED_PROXIES=::1,127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
    "TRUSTED_PROXIES=192.168.3.29",

    # Valkey
    "VALKEY_PASSWORD=!ChangeThisValkeyPass!",
    "REDIS_DNS=redis://!ChangeThisValkeyPass!@valkey:6379",

    # S3 storage (optional)
    "S3_KEY=",
    "S3_SECRET=",
    "S3_BUCKET=",
    "S3_REGION=",
    "S3_ENDPOINT=",
    "S3_VERSION=",

    # Only let admins generate oauth clients
    "KBIN_ADMIN_ONLY_OAUTH_CLIENTS=false",

    # Manually approve every new user
    "MBIN_NEW_USERS_NEED_APPROVAL=true",

    # use an allowlist instead of a ban list
    "MBIN_USE_FEDERATION_ALLOW_LIST=false",


    # image exif cleaning options
    # available value: none, sanitize, scrub
    # can be set differently for user uploaded and external media
    "EXIF_CLEAN_MODE_UPLOADED=sanitize",
    "EXIF_CLEAN_MODE_EXTERNAL=none",
    # path to exiftool binary, leave blank for auto PATH search
    "EXIF_EXIFTOOL_PATH=",
    # max execution time for exiftool in seconds, defaults to 10 seconds
    "EXIF_EXIFTOOL_TIMEOUT=10",

    ###> symfony/framework-bundle ###
    "APP_SECRET=!ChangeSecret!",
    ###< symfony/framework-bundle ###

    ###> doctrine/doctrine-bundle ###
    # Format described at https://www.doctrine-project.org/projects/doctrine-dbal/en/latest/reference/configuration.html#connecting-using-a-url
    "POSTGRES_DB=mbin",
    "POSTGRES_USER=mbin",
    "POSTGRES_PASSWORD=Ob9FJL@EtRh*$Z",
    # IMPORTANT: You MUST configure your PostgreSQL server version!
    "POSTGRES_VERSION=16",
    "DATABASE_URL=\"postgresql://mbin:Ob9FJL@EtRh*$Z@postgres:5432/mbin?serverVersion=16&charset=utf8\"",
    ###< doctrine/doctrine-bundle ###

    ###> symfony/messenger ###
    "RABBITMQ_DEFAULT_USER=mbin",
    "RABBITMQ_DEFAULT_PASS=!ChangeThisRabbitPass!",
    "MESSENGER_TRANSPORT_DSN=amqp://mbin:!ChangeThisRabbitPass!@amqproxy:5673/%2f/messages",
    ###< symfony/messenger ###

    ###> symfony/mailer ###
    # See https://symfony.com/doc/current/mailer.html#using-built-in-transports
    # MAILER_DSN=sendmail://default # Use sendmail when you are using Postfix
    "MAILER_DSN=smtp://rescla-mbin:cPb77TjZ8QiXl5G7@mail-eu.smtp2go.com:587?encryption=tls&auth_mode=log",
    # Explicitly url encode any character in username and password
    # %40 = @
    # Gmail:
    # MAILER_DSN=gmail+smtp://user%40domain.com:pass@smtp.gmail.com
    # Our own SMTP server:
    # MAILER_DSN=smtp://username:password@smtpserver.tld:587?encryption=tls&auth_mode=log
    # MAILER_DSN=smtp://username:password@smtpserver.tld:465?encryption=ssl&auth_mode=log
    ###< symfony/mailer ###

    ###> symfony/mailgun-mailer ###
    # MAILER_DSN=mailgun://KEY:DOMAIN@default?region=us
    # MAILER_DSN=mailgun+smtp://postmaster@sandboxxx.mailgun.org:key@default?region=us
    ###< symfony/mailgun-mailer ###

    ###> symfony/mercure-bundle ###
    # See https://symfony.com/doc/current/mercure.html#configuration
    # The URL of the Mercure hub, used by the app to publish updates (can be a local URL)
    # Assuming you are running Mercure Caddy on port 3000
    "MERCURE_URL=http://php/.well-known/mercure",
    # The public URL of the Mercure hub, used by the browser to connect
    "MERCURE_PUBLIC_URL=https://kbin.rescla.me/.well-known/mercure",
    # The secret used to sign the JWTs
    "MERCURE_JWT_SECRET=!ChangeThisMercureHubJWTSecretKey!",
    ###< symfony/mercure-bundle ###

    ###> nelmio/cors-bundle ###
    "CORS_ALLOW_ORIGIN=\"^https?://(kbin.rescla.me|127\.0\.0\.1)(:[0-9]+)?$\"",
    ###< nelmio/cors-bundle ###

    ###> symfony/lock ###
    # Choose one of the stores below
    # postgresql+advisory://db_user:db_password@localhost/db_name
    "LOCK_DSN=flock",
    ###< symfony/lock ###

    ###> league/oauth2-server-bundle ###
    "OAUTH_PRIVATE_KEY=%kernel.project_dir%/config/oauth2/private.pem",
    "OAUTH_PUBLIC_KEY=%kernel.project_dir%/config/oauth2/public.pem",
    "OAUTH_PASSPHRASE=!ChangeThisOauthPass!",
    "OAUTH_ENCRYPTION_KEY=",
    ###< league/oauth2-server-bundle ###
  ]
}

data "docker_registry_image" "mbin" {
  name = "ghcr.io/mbinorg/mbin:latest"
}

resource "docker_image" "mbin" {
  name = data.docker_registry_image.mbin.name
  pull_triggers = [data.docker_registry_image.mbin.sha256_digest]
}

resource "docker_container" "mbin-php" {
  image = docker_image.configarr.image_id
  name  = "mbin-php"

  env = var.mbin_env

}