{ lib, ... }:
let
  inherit (lib) mkForce mkMerge;
  inherit (lib.my) net;
  inherit (lib.my.c.kelder) domain prefixes;
in
{
  nixos.systems.kelder-spoder = { config, ... }: {
    system = "x86_64-linux";
    nixpkgs = "mine";
    rendered = config.configuration.config.my.asContainer;

    assignments = {
      internal = {
        name = "spoder-ctr";
        inherit domain;
        ipv4.address = net.cidr.host 3 prefixes.ctrs.v4;
      };
    };

    configuration = { lib, pkgs, config, assignments, ... }:
    let
      inherit (lib.my) networkdAssignment;
    in
    {
      imports = [ ./nginx.nix ];

      config = {
        my = {
          deploy.enable = false;
          server.enable = true;
          user.config.name = "kontent";

          secrets = {
            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdYyebQv/bBLbat1Csnr1/VMPKsi99PiLOXyKeQb7oX";
            files = {
              "kelder/cloudflare-credentials.conf" = {
                owner = "acme";
                group = "acme";
              };
              "kelder/nextcloud-root.txt" = {
                owner = "nextcloud";
                group = "nextcloud";
              };
            };
          };
        };

        security.acme = {
          acceptTerms = true;
          defaults = {
            email = "dev@nul.ie";
            server = "https://acme-v02.api.letsencrypt.org/directory";
            reloadServices = [ "nginx" ];
            dnsResolver = "8.8.8.8";
          };
          certs = {
            "${domain}" = {
              extraDomainNames = [
                "*.${domain}"
              ];
              dnsProvider = "cloudflare";
              credentialsFile = config.age.secrets."kelder/cloudflare-credentials.conf".path;
            };
          };
        };

        users = {
          groups.storage.gid = lib.my.c.kelder.groups.storage;
          users = {
            nginx.extraGroups = [ "acme" ];

            "${config.my.user.config.name}".extraGroups = [ "storage" ];
          };
        };

        systemd = {
          network.networks."80-container-host0" = mkMerge [
            (networkdAssignment "host0" assignments.internal)
            {
              linkConfig.MTUBytes = "1420";
            }
          ];
          services = {
            radarr.serviceConfig.UMask = "0002";
            sonarr.serviceConfig.UMask = "0002";
          };
        };

        services = {
          resolved.extraConfig = mkForce "";

          nextcloud = {
            enable = true;
            package = pkgs.nextcloud28;
            datadir = "/mnt/storage/nextcloud";
            hostName = "cloud.${domain}";
            https = true;
            config = {
              adminpassFile = config.age.secrets."kelder/nextcloud-root.txt".path;
            };
            settings = {
              updatechecker = false;
              trusted_domains = [ "cloud-local.${domain}" ];
              default_phone_region = "IE";
            };
          };
        };
      };
    };
  };
}