{ config, lib, pkgs, serverCfg }:
let 
  builder =
  { image ? null, imageStream ? null
  , secret ? null
  , subdomain ? null, ip ? null, port ? 0
  , extraEnv ? { }, extraLabels ? { }, extraOptions ? [ ]
  , overrides ? { }
  }:
  let base = {
    image = if imageStream != null then "${imageStream.imageName}:${imageStream.imageTag}" 
            else image;
    imageStream = imageStream;

    environmentFiles = if secret!=null then [ config.sops.secrets."${lib.toUpper secret}".path ] else [];
    environment = {} // extraEnv;

    labels = (if subdomain!=null then ({
      "traefik.enable" = "true";
      "traefik.http.routers.${subdomain}.entrypoints" = "web-secure";
      "traefik.http.routers.${subdomain}.rule" = "Host(`${subdomain}.${serverCfg.hostDomain}`)";
      "traefik.http.routers.${subdomain}.tls" = "true";
    } // lib.optionalAttrs (port!=null) {
      "traefik.http.services.${subdomain}.loadbalancer.server.port" = toString port;
    }) else {
      "traefik.enable" = "false";
    }) // extraLabels;

    extraOptions = extraOptions ++ [
      "--add-host=host.containers.internal:host-gateway"
    ] ++ lib.optional (ip!=null) "--ip=${ip}";
  };
  in lib.recursiveUpdate base overrides;
in {
  mkContainer = builder;
  mkData = { name, dir, vars?{} }: pkgs.runCommand name vars ''
    mkdir -p $out
    cp -r ./data/${dir}/. $out/
    find $out -type f | while read file; do
      ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
        substituteInPlace "$file" --replace "@${n}@" "${toString v}"
      '') vars)}
    done
  '';
  host = "host.containers.internal"; 
}