{ config, containerCfg, pkgs, lib, builder, ... }:
let 
version = "2026.2.2";
serverCfg = config.syscfg.server;
in {
  paths = [{
    path="${serverCfg.dataPath}/authentik/media";
    owner = "1000:1000";
    mode = "0755";
  }{
    path="${serverCfg.dataPath}/authentik/templates";
    owner = "1000:1000";
    mode = "0755";
  }];

  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      image = "ghcr.io/goauthentik/server:${version}";
      port = containerCfg.port;
      ip = containerCfg.ip;
      secret = "authentik";
      extraEnv = {
        "AUTHENTIK_REDIS__HOST" = builder.host;
        "AUTHENTIK_POSTGRESQL__HOST" = builder.host;
        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
        "AUTHENTIK_EMAIL__HOST" = serverCfg.mailDomain;
        "AUTHENTIK_EMAIL__PORT" = "587";
        "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
        "AUTHENTIK_EMAIL__USE_TLS" = "true";
        "AUTHENTIK_EMAIL__USE_SSL" = "false";
        "AUTHENTIK_EMAIL__TIMEOUT" = "10";
        "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
        "AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
        "AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
      };
      overrides = {
        cmd = [ "server" ];
        ports = if containerCfg.pubPort != 0 && containerCfg.port != 0 then [ "${toString containerCfg.pubPort}:${toString containerCfg.port}" ] else [];
        volumes = [
          "${serverCfg.dataPath}/authentik/media:/media"
          "${serverCfg.dataPath}/authentik/templates:/templates"
        ];
      };
    };

    worker = builder.mkContainer {
      image = "ghcr.io/goauthentik/server:${version}";
      secret = "authentik";
      extraEnv = {
        "AUTHENTIK_REDIS__HOST" = builder.host;
        "AUTHENTIK_POSTGRESQL__HOST" = builder.host;
        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
        "AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
        "AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
      };
      # extraOptions = [ "--user=:994" ]; #PODMAN GROUP FOR SOCKET ACCESS
      overrides = {
        cmd = [ "worker" ];
        volumes = [
          "${serverCfg.dataPath}/authentik/media:/media"
          "${serverCfg.dataPath}/authentik/templates:/templates"
          # "/var/run/podman/podman.sock:/var/run/docker.sock" #PODMAN GROUP FOR SOCKET ACCESS
        ];
      };
    };
  };
}