{
  config,
  pkgs,
  lib,
  ...
}:

let
  stateDir = "/var/lib/open-webui";
  port = 11111;
in
{
  virtualisation.podman.enable = true;

  virtualisation.oci-containers.backend = "podman";

  virtualisation.oci-containers.containers.openwebui = {
    image = "ghcr.io/open-webui/open-webui:latest";
    autoStart = true;

    ports = [
      "0.0.0.0:${toString port}:8080"
    ];

    volumes = [
      "${stateDir}/data:/app/backend/data"
      "${stateDir}/static:/app/backend/static"
      "${stateDir}/build:/app/frontend/build"
    ];

    extraOptions = [ "--pull=newer" ];

    environment = {
      ANONYMIZED_TELEMETRY = "False";
      DO_NOT_TRACK = "True";
      SCARF_NO_ANALYTICS = "True";

      WEBUI_AUTH = "True";
      ENABLE_SIGNUP = "True";
      DEFAULT_USER_ROLE = "pending";
      ENV = "prod";

      # Optional — helps internal routing
      WEBUI_PORT = toString port;
      WEBUI_HOST = "0.0.0.0";
    };

  };

  # Create persistent state directories (like StateDirectory in systemd)
  systemd.tmpfiles.rules = [
    "d ${stateDir}/data 0755 root root - -"
    "d ${stateDir}/static 0755 root root - -"
    "d ${stateDir}/build 0755 root root - -"
  ];

  # Optional — open firewall for access
  networking.firewall.allowedTCPPorts = [ port ];
}