{ config, containerCfg, pkgs, lib, builder, name,... }:
let 
version = "2026.2.2";
serverCfg = config.syscfg.server;
in {
  paths = [{
    path="${serverCfg.dataPath}/authentik/media";
    owner = "1000:1000";
    mode = "0755";
  }{
    path="${serverCfg.dataPath}/authentik/templates";
    owner = "1000:1000";
    mode = "0755";
  }];

  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      image = "traefik:${version}";
      ip = containerCfg.ip;
      secret = name;
      extraEnv = {
        config.sops.secrets.INFOMANIAK_API_KEY.path
      };
      overrides = {
        cmd = [ 
          "--api"
          "--providers.docker=true"
          "--entrypoints.web.address=:80"
          "--entrypoints.web-secure.address=:443"
        ];
        ports = [ "443" "80" ];
        volumes = [ 
          "/var/run/docker.sock:/var/run/docker.sock:ro"
          "${serverCfg.configPath}/traefik/traefik.yaml:/etc/traefik/traefik.yaml"
          "${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
          "${serverCfg.configPath}/traefik/acme.json:/acme.json"
        ];
      };
    };

  };
}