{ config, containerCfg, pkgs, lib, builder, name, ... }:
let 
  serverCfg = config.syscfg.server;
  image = pkgs.dockerTools.streamLayeredImage {
    name = pkgs.transmission_4.name;
    tag = pkgs.transmission_4.version;
    contents = [ pkgs.cacert ];
    config = {
        Cmd = [ "${pkgs.transmission_4}/bin/transmission-daemon" "--foreground" "--config-dir" "/config" ];
        ExposedPorts = {
            "9091/tcp" = {};
            "51413/tcp" = {}; "51413/udp" = {};
        };
    };
  };
in {
  paths = [{
      path = "${serverCfg.dataPath}/transmission/complete";
      owner = "1000:1000";
      mode = "0755";
    }{
      path = "${serverCfg.dataPath}/transmission/incomplete";
      owner = "1000:1000";
      mode = "0755";
    }{
      path = "${serverCfg.configPath}/transmission/config";
      owner = "1000:1000";
      mode = "0755";
    }];

  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      imageStream = image;
      port = 9091;
      
      extraEnv = {
        PUID = "1000";
        PGID = "1000";
        WHITELIST = "";# 127.0.0.1,::1,10.*";
        # HOST_WHITELIST = "traefik-server,authentik-server,authentik-worker";
      };
      extraLabels = { } // (if serverCfg.containers ? authentik then {
        "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "authentik";
      } else {});

      overrides = {
        cmd = [ ];
        volumes = [
          "${serverCfg.dataPath}/transmission/complete:/downloads/complete"
          "${serverCfg.dataPath}/transmission/incomplete:/downloads/incomplete"
          "${serverCfg.configPath}/transmission/config:/config"
        ];
      };
    };
  };


  setup = {
    trigger = "server";
    envFile = [ config.sops.secrets."CUSTOM".path ];
    script = pkgs.writeShellScript "setup" ''

      ${pkgs.gettext}/bin/envsubst < "${../data/transmission/settings.json}" > "${serverCfg.configPath}/transmission/config/settings.json"
    '';
  };

}