{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
  version = "latest";
  serverCfg = config.syscfg.server;
in {
  sops = true;
  db = true;
  paths = [
    {
      path = "${serverCfg.configPath}/freshrss";
      owner = "1000:1000";
      mode = "0755";
    }
  ];

  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      image = "ghcr.io/freshrss/freshrss:${version}";
      port = 80;
      secret = name;
      
      extraEnv = {
        CRON_MIN = "5,35";
        PUID = "1000";
        PGID = "1000";
        TRUSTED_PROXY = "10.0.0.0/8 192.168.0.1/16";
        PUBLISHED_PORT = "80";
        ADMIN_PASSWORD = "admin"; # Change this to a secure password in production!
        ADMIN_API_PASSWORD = "admin"; # Change this to a secure password in production!
        BASE_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}";
        SERVER_DNS = "${containerCfg.subdomain}.${serverCfg.domain}";
        DB_HOST = "${builder.host}";
        DB_BASE = "freshrss_db";
        DB_USER = "freshrss_user";
      };

      overrides = {
        volumes = [
          "${serverCfg.configPath}/freshrss:/config"
        ];
      };
    };
  };

  setup = {
    trigger = "server"; # Triggers atomic environment verification on main controller
    envFile = config.sops.secrets."FRESHRSS".path;
    script = pkgs.writeShellScript "setup-freshrss" ''
      RSS_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
      ${pkgs.curl}/bin/curl -s -X POST "$RSS_URL/i/index.php?step=0" -H "Content-Type: application/x-www-form-urlencoded" --data-raw "language=en"
    '';
  };
}