{
  pkgs,
  lib,
  configVars,
  ...
}: let
  containerName = "semitamaps";
  pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
  hostAddress = configVars.networking.addresses.semitamaps.hostAddress;
  localAddress = configVars.networking.addresses.semitamaps.localAddress;
  workingDirectory = "/var/www/semitamaps";
in {
  systemd.tmpfiles.rules = [
    "d /var/run/sockets 0660 www-data www-data -"
  ];

  networking = {
    nat = {
      enable = true;
      internalInterfaces = ["ve-+"];
      externalInterface = "enp1s0";
    };
  };

  environment.persistence."/persist" = {
    hideMounts = true;
    directories = [
      "/var/lib/nixos-containers/${containerName}"
    ];
  };

  containers."${containerName}" = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = hostAddress;
    localAddress = localAddress;
    nixpkgs = pkgs.path;
    bindMounts = {
      "/etc/ssh/ssh_host_ed25519_key" = {
        hostPath = "/etc/ssh/ssh_host_ed25519_key";
        isReadOnly = true;
      };
      "/var/run/sockets" = {
        hostPath = "/var/run/sockets";
        isReadOnly = false;
      };
    };

    config = {
      pkgs,
      lib,
      ...
    }: {
      networking = {
        firewall = {
          enable = true;
          rejectPackets = true;
          allowedTCPPorts = [
            80
            443
          ];
        };
        useHostResolvConf = lib.mkForce false;
      };

      systemd.tmpfiles.rules = [
        "d ${workingDirectory} 0750 www-data www-data"
        "d ${workingDirectory}/.venv 0750 www-data www-data"
        "d ${workingDirectory}/public/uploads 0775 www-data www-data"
      ];

      services.resolved.enable = true;

      imports = [
      ];

      environment.systemPackages = [
        pkgs.vim
        pkgs.git
      ];

      services.openssh = {
        enable = true;
        settings.PasswordAuthentication = false;
      };

      systemd.services.semitamaps = {
        wantedBy = ["multi-user.target"];
        after = ["network.target"];
        description = "Deploys and serves semitamaps";
        environment = {
        };
        serviceConfig = {
          WorkingDirectory = "${workingDirectory}";
          ExecStartPre = pkgs.writeShellScript "semitamaps-prestart" ''
            set -e

            GITCMD="${pkgs.openssh}/bin/ssh -i /etc/ssh/ssh_host_ed25519_key"
            if [ ! -d ${workingDirectory}/.git ]; then
              export GIT_SSH_COMMAND=$GITCMD
              ${pkgs.git}/bin/git clone git@git.bitlab21.com:sam/semitamaps.com.git ${workingDirectory}
            fi
            ${pkgs.poetry}/bin/poetry install
          '';
          ExecStart = pkgs.writeShellScript "semitamaps-start" ''
            .venv/bin/python .venv/bin/uvicorn --workers 4 --uds /var/run/sockets/semitamaps.sock app:app
          '';
          Restart = "on-failure";
        };
      };

      programs.ssh.knownHosts = {
        "git.bitlab21.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALNd2BGf64heYjWT9yt0fVmngepiHRIMsL7au/MRteg";
      };

      users.users = {
        root = {
          openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
        };
      };

      system.stateVersion = "24.05";
    };
  };
}