{ config, pkgs, ... }:

{
	config.virtualisation.oci-containers = {
		backend = "podman";
		containers = {
			#mobilizon = {
			#	image = "framasoft/mobilizon";
		#		ports = [ "127.0.0.1:4000:4000" ];
		#		volumes = [
		#			"/var/lib/mobilizon/uploads:/var/lib/mobilizon/uploads"
		#			"/run/postgresql/.s.PGSQL.5432:/run/postgresql/.s.PGSQL.5432"
		#		];
		#		environmentFiles = [ config.secrets.files.mobilizon_env.file ];
		#	};
			authentik-server = {
				image = "ghcr.io/goauthentik/server:stable";
				ports = [
					"127.0.0.1:9000:9000"
					"127.0.0.1:9443:9443"
				];
				volumes = [
					"/var/lib/authentik/media:/media"
					"/var/lib/authentik/templates:/templates"
					"/run/postgresql/.s.PGSQL.5432:/run/postgresql/.s.PGSQL.5432"
					"/run/redis/redis.sock:/run/redis/redis.sock"
				];
				environmentFiles = [ config.secrets.files.authentik_env.file ];
				cmd = ["server"];
			};
			authentik-worker = {
				image = "ghcr.io/goauthentik/server:stable";
				volumes = [
					"/var/lib/authentik/backups:/backups"
					"/var/lib/authentik/media:/media"
					"/var/lib/authentik/certs:/certs"
					"/var/lib/authentik/templates:/templates"
				];
				environmentFiles = [ config.secrets.files.authentik_env.file ];
				cmd = ["worker"];
			};
		};
	};

	config.systemd.services.create-authentik-pod = with config.virtualisation.oci-containers; {
		serviceConfig.Type = "oneshot";
		wantedBy = [ "podman-authentik-server.service" "podman-authentik-worker.service" ];
		script = ''
			${pkgs.podman}/bin/podman pod exists authentik || \
				${pkgs.podman}/bin/podman pod create -n authentik -p '127.0.0.1:9000:9000' -p '127.0.0.1:9443:9443'
		'';
	};
}