{
  pkgs,
  lib,
  inputs,
  config,
  outputs,
  configVars,
  ...
}: let
  containerName = "docker";
  containerIp = configVars.networking.addresses.docker.ip;
  gatewayIp = configVars.networking.addresses.gateway.ip;
  dockerContainerData = configVars.locations.dockerContainerData;
  homeshareDataLocation = configVars.locations.homeshareDataLocation;
  pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
  arion = inputs.arion;
  sops-nix = inputs.sops-nix;
in {
  networking.nat.enable = true;
  networking.nat.internalInterfaces = ["ve-+"];
  networking.nat.externalInterface = "br0";

  services.restic.backups = {
    daily = {
      paths = [
        dockerContainerData
      ];
    };
  };

  environment.persistence."/persist" = {
    hideMounts = true;
    directories = [
      "/var/lib/nixos-containers/${containerName}"
    ];
  };

  containers."${containerName}" = {
    enableTun = true;

    # configuration to run docker/podman in systemd-nspawn container
    # https://discourse.nixos.org/t/podman-docker-in-nixos-container-ideally-in-unprivileged-one/22909/12
    additionalCapabilities = [
      ''all" --system-call-filter="add_key keyctl bpf" --capability="all''
    ];
    extraFlags = ["--private-users-ownership=chown"];
    allowedDevices = [
      {
        node = "/dev/nvidia0";
        modifier = "rwm";
      }
      {
        node = "/dev/nvidiactl";
        modifier = "rwm";
      }
      {
        node = "/dev/fuse";
        modifier = "rwm";
      }
      {
        node = "/dev/mapper/control";
        modifier = "rw";
      }
      {
        node = "/dev/console";
        modifier = "rwm";
      }
      {
        node = "/dev/dri/card1";
        modifier = "rwm";
      }
      {
        node = "/dev/dri/renderD128";
        modifier = "rwm";
      }
      {
        node = "/dev/net/tun";
        modifier = "rw";
      }
    ];
    ######

    autoStart = true;
    privateNetwork = true;
    hostBridge = "br0";
    nixpkgs = pkgs.path;
    bindMounts = {
      "/media/photos" = {
        hostPath = "${homeshareDataLocation}/photos";
        isReadOnly = false;
      };
      "/run/opengl-driver/lib" = {
        hostPath = "/run/opengl-driver/lib";
        isReadOnly = false;
      };
      "/dev/dri" = {
        hostPath = "/dev/dri";
        isReadOnly = false;
      };
      "/media/media" = {
        hostPath = "${homeshareDataLocation}/media";
        isReadOnly = false;
      };
      "/srv/docker" = {
        hostPath = dockerContainerData;
        isReadOnly = false;
      };
      "/etc/ssh/ssh_host_ed25519_key" = {
        hostPath = "/etc/ssh/ssh_host_ed25519_key";
        isReadOnly = true;
      };
    };

    config = {
      pkgs,
      lib,
      ...
    }: let
      secretsDirectory = builtins.toString inputs.nix-secrets;
      secretsFile = "${secretsDirectory}/secrets.yaml";
    in {
      nixpkgs.overlays = [
        outputs.overlays.unstable-packages
      ];

      networking = {
        enableIPv6 = false;
        defaultGateway = "${gatewayIp}";
        interfaces.eth0.ipv4.addresses = [
          {
            "address" = "${containerIp}";
            "prefixLength" = 24;
          }
        ];
        firewall = {
          enable = true;
          allowedTCPPorts = [
          ];
        };
        useHostResolvConf = lib.mkForce false;
      };

      hardware.graphics = {
        enable = true;
      };

      nixpkgs.config.allowUnfreePredicate = pkg:
        builtins.elem (lib.getName pkg) [
          "nvidia-x11"
          "nvidia-settings"
          "nvidia-persistenced"
        ];

      services.xserver.videoDrivers = ["nvidia"];
      hardware.nvidia = {
        modesetting.enable = true;
        powerManagement.enable = false;
        open = false;
        nvidiaSettings = false;
        package = config.boot.kernelPackages.nvidiaPackages.stable;
      };

      services.resolved.enable = true;

      sops = {
        defaultSopsFile = "${secretsFile}";
        validateSopsFiles = false;

        age = {
          sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
        };
      };

      imports = [
        arion.nixosModules.arion
        sops-nix.nixosModules.sops
        ../arion-containers/arrstack.nix
        ../arion-containers/jellyfin.nix
        ../arion-containers/photoprism.nix
        ../arion-containers/syncthing.nix
        (import ../arion-containers/searxng.nix {configVars = configVars;})
      ];

      environment.systemPackages = [
        pkgs.vim
        pkgs.git
        pkgs.arion
        pkgs.dive
        pkgs.podman-tui
        pkgs.podman-compose
        pkgs.unstable.nvidia-container-toolkit
      ];

      virtualisation = {
        containers.cdi.dynamic.nvidia.enable = true;
        podman = {
          enableNvidia = true;
          enable = true;
          dockerSocket.enable = true;
          defaultNetwork.settings.dns_enabled = true;
          dockerCompat = true;
        };
      };

      networking.firewall.interfaces."podman+".allowedUDPPorts = [53];

      systemd.services.podman-autostart = {
        enable = true;
        after = ["podman.service"];
        wantedBy = ["multi-user.target"];
        description = "Automatically start containers with --restart=always tag";
        serviceConfig = {
          Type = "idle";
          ExecStartPre = ''${pkgs.coreutils}/bin/sleep 1'';
          ExecStart = ''/run/current-system/sw/bin/podman start --all --filter restart-policy=always'';
        };
      };

      services.prometheus = {
        exporters = {
          node = {
            enable = true;
            enabledCollectors = ["systemd"];
            openFirewall = true;
          };
        };
      };

      services.openssh = {
        enable = true;
        settings.PasswordAuthentication = false;
      };

      users.users = {
        root = {
          openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
        };
      };

      system.stateVersion = "24.05";
    };
  };
}