{
  pkgs,
  lib,
  configVars,
  ...
}: let
  containerName = "reverse-proxy";
  containerIp = configVars.networking.addresses.reverse-proxy.ip;

  gatewayIp = configVars.networking.addresses.gateway.ip;
  pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;

  dockerContainerIp = configVars.networking.addresses.docker.ip;
  bdWorker = configVars.networking.addresses.bd-worker.ip;
  pihole = configVars.networking.addresses.pihole.ip;
  bitcoinNode = configVars.networking.addresses.bitcoin-node.ip;
  metricsServer = configVars.networking.addresses.metrics-server.ip;
in {
  networking.nat.enable = true;
  networking.nat.internalInterfaces = ["ve-+"];
  networking.nat.externalInterface = "br0";

  environment.persistence."/persist" = {
    hideMounts = true;
    directories = [
      "/var/lib/nixos-containers/${containerName}"
    ];
  };

  containers."${containerName}" = {
    enableTun = true;
    autoStart = true;
    privateNetwork = true;
    hostBridge = "br0";
    nixpkgs = pkgs.path;

    config = {
      pkgs,
      lib,
      config,
      ...
    }: {
      networking = {
        defaultGateway = "${gatewayIp}";
        interfaces.eth0.ipv4.addresses = [
          {
            "address" = "${containerIp}";
            "prefixLength" = 24;
          }
        ];
        firewall = {
          enable = true;
          allowedTCPPorts = [
            80
          ];
        };
        useHostResolvConf = lib.mkForce false;
      };

      services.resolved.enable = true;

      imports = [
      ];

      environment.systemPackages = [
        pkgs.vim
        pkgs.git
        pkgs.nginx
      ];

      services.nginx = {
        enable = true;
        virtualHosts = {
          "jellyfin.lan" = {
            locations."/".proxyPass = "http://${dockerContainerIp}:8096";
          };
          "mempool.lan" = {
            locations."/".proxyPass = "http://${bitcoinNode}:4080";
          };
          "grafana.lan" = {
            locations."/".proxyPass = "http://${metricsServer}:2342";
            extraConfig = ''
              proxy_set_header Host grafana.lan;
            '';
          };
          "metrics.lan" = {
            locations."/".proxyPass = "http://${metricsServer}:9001";
          };
          "searx.lan" = {
            locations."/".proxyPass = "http://${dockerContainerIp}:8855";
          };
          "dns.lan" = {
            locations."/".proxyPass = "http://${pihole}:80";
          };
          "prefect.lan" = {
            locations."/".proxyPass = "http://${bdWorker}:4200";
          };
        };
      };

      services.openssh = {
        enable = true;
        settings.PasswordAuthentication = false;
      };

      users.users = {
        root = {
          openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
        };
      };

      system.stateVersion = "24.05";
    };
  };
}