{ config, containerCfg, pkgs, lib, builder, name, ... }:
let 
  serverCfg = config.syscfg.server;

  patchedInvidious = pkgs.invidious.overrideAttrs (oldAttrs: {
    postPatch = (oldAttrs.postPatch or "") + ''
      cp ${../data/invidious/login.cr} src/invidious/routes/login.cr
    '';
  });

  image = pkgs.dockerTools.streamLayeredImage {
    name = pkgs.invidious.name;
    tag = pkgs.invidious.version;
    config = {
      Entrypoint = [ "${patchedInvidious}/bin/invidious" ];
      ExposedPorts = { "3000/tcp" = {}; };
    };
  };

in {
  sops = true;
  db = true;
  paths = [{
    path="${serverCfg.configPath}/invidious";
    mode = "0755";
  }];

  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      imageStream = invidiousImage;
      port = 3000;
      secret = name;
      overrides = {
        Cmd = [ "--config" "/data/config.yml" ];
        volumes = [
          "${serverCfg.configPath}/invidious:/data:ro"
        ];
      };
    };

    companion = builder.mkContainer {
      image = "quay.io/invidious/invidious-companion:latest";
      port = 8282;
      secret = name; #SERVER_SECRET_KEY = INVIDIOUS_COMPANION_KEY
      extraOptions = [
        "--cap-drop=all"
        "--security-opt=no-new-privileges"
      ];
    };
  };

  setup = {
    trigger = "server";
    envFile = [ config.sops.secrets."INVIDIOUS".path config.sops.secrets."CUSTOM".path ];
    script = pkgs.writeShellScript "setup" ''
      export DB_HOST=${builder.host}
      export INVIDIOUS_DOMAIN=${containerCfg.subdomain}.${serverCfg.domain}

      ${pkgs.gettext}/bin/envsubst < "${../data/invidious/config.yml}" > "${serverCfg.configPath}/invidious/config.yml"
    '';
  };
}