{ pkgsOld, ... }:
{
  containers."katzenwiki" = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "10.0.2.1";
    localAddress = "10.0.2.2";
    bindMounts = {
      "/var/lib/mediawiki" = {
        hostPath = "/katzenwiki";
        isReadOnly = false;
      };
    };
    # extraVeths = {
    #   "katzenwiki" = {
    #     hostAddress = "10.0.2.1";
    #     localAddress = "10.0.2.2";
    #   };
    # };
    config = { config, pkgs, ... }: {
      environment.systemPackages = with pkgs; [btop ];
      networking.firewall.enable = false;
      # networking.nameservers = [ "9.9.9.9" "149.112.112.112" ];
      environment.etc."resolv.conf".text = "nameserver 9.9.9.9";      
      services.mediawiki = {
        enable = true;
        name = "katzenwiki";
        database = {
          type = "mysql";
        };
        httpd.virtualHost = {
          hostName = "wiki.katzen.cafe";
          adminAddr = "admin@katzen.cafe";
          listen = [
            {
              ip = "10.0.2.2";
              port = 80;
              ssl = false;
            }
          ];        
        };
        passwordFile = "/var/lib/mediawiki/passwordFile"; 
        extraConfig = ''
          # $wgShowExceptionDetails = true;
          # $wgDebugToolbar = true;
          # $wgShowDebug = true;
          # $wgDevelopmentWarnings = true;

          # Disable anonymous editing
          $wgGroupPermissions['*']['edit'] = false;
          $wgGroupPermissions['oidc_interface_admin'] = $wgGroupPermissions['interface_admin'];
          $wgGroupPermissions['oidc_admin'] = $wgGroupPermissions['sysop'];
          $wgGroupPermissions['oidc_admin']['userrights'] = true;

          $oidcClientSecret = file_get_contents('/var/lib/mediawiki/keycloakClientSecret', false, null, 0, 32);
          $wgPluggableAuth_Config[] = [
            'plugin' => 'OpenIDConnect',
            'data' => [
              'providerURL' => 'https://auth.katzen.cafe/realms/katzen.cafe',
              'clientID' => 'katzenwiki',
              # hack to try dynamically get the secret
              'clientsecret' => $oidcClientSecret,
              'global_roles' => ['property' => ['realm_access', 'roles']],
              'wiki_roles' => ['property' => ['resource_access', 'katzenwiki', 'roles']]
            ]
          ];
        '';
        extensions = {
          PluggableAuth = pkgs.fetchzip {
            url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_39-068be5d.tar.gz";
            sha256 = "sha256-OWfr3oq2XzyJ5tynP5bRRPm34ymqz2oIBe2vBPHK+/Q=";
          };
          OpenIDConnect = pkgs.fetchzip {
            url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_39-42e4d75.tar.gz";
            sha256 = "sha256-g+PGNzt0o2FebI3xyVamz5RA95E86MD2yqD4v8N6zKU=";
          };
          WikiEditor = null;
          CodeEditor = null;
        };
      };

      system.stateVersion = "23.05";
    };
  };
  deployment.keys = {
    # NOTE: for some reason, i ahd to manually chown +r the password file for mediawiki to work.
    # i should figure out why to make this work when setting up new instances...
    "katzenwikiPwFile" = {
      keyCommand = [ "pass" "wikis/katzenwiki/password" ];
      destDir = "/katzenwiki";
      name = "passwordFile";
    };
    "katzenwikiKeycloakClientSecret" = {
      keyCommand = [ "pass" "wikis/katzenwiki/keycloak-secret" ];
      destDir = "/katzenwiki";
      name = "keycloakClientSecret";
      permissions = "0604";
    };
  };
}