{ config, lib, ... }: let

    subdomain = "searxng";

    name = "searxng";

in {

    options.sysconfig.docker.searxng.enable = with lib; mkOption {
        type = with types; bool;
        default = false;
    };

    config = lib.mkIf (config.sysconfig.docker.searxng.enable && config.sysconfig.docker.enable) {
        
        environment.etc."searxng/settings.yml".source = ./settings.yml;

        virtualisation.oci-containers.containers.searxng = {
            image = "searxng/searxng:latest";

            # unstable, waiting for 26.05
            #pull = "newer";

            hostname = "${subdomain}.esotericbytes.com";

            networks = [
                "docker-main"
            ];

            labels = {
                "traefik.enable" = "true";
                "traefik.http.routers.${name}.entrypoints" = "localsecure";
                "traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
                "traefik.http.routers.${name}.service" = "${name}";
                "traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
                
                #"traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}";
                "traefik.http.services.${name}.loadbalancer.server.port" = "8080";
            };

            ports = [
            ];

            extraOptions = [
                "--ip=192.168.101.9"
            ];

            volumes = [
                "vol_searxng_settings:/etc/searxng/"
                "vol_searxng_data:/var/cache/searxng/"
                "/etc/searxng/settings.yml:/etc/searxng/settings.yml"
            ];

            environment = {
                SEARXNG_SECRET = "2e8b4fcf4c0f46b097496f2d5715dbb061bd5cac78c64d0f5a0bee27f013f3c0";
            };
        };
    };
}