{ config, ... }:
let
  inherit (import ./lib.nix config) mkContainer terakoda;
in {
  sops = {
    secrets = {
      "offen/smtp-token" = {};
      "offen/secret" = {};
    };
    templates."offen.env" = {
      mode = "0400";
      owner = config.users.users.offen.name;
      group = config.users.users.offen.group;
      content = ''
        OFFEN_SECRET="${config.sops.placeholder."offen/secret"}"
        OFFEN_SMTP_USER="offen@terakoda.com"
        OFFEN_SMTP_PASSWORD="${config.sops.placeholder."offen/smtp-token"}"
        OFFEN_SMTP_HOST="smtp.protonmail.ch"
        OFFEN_SMTP_PORT="587"
        OFFEN_SMTP_SENDER="offen@terakoda.com"
        OFFEN_SMTP_AUTHTYPE="LOGIN"
      '';
    };
  };

  virtualisation.oci-containers.containers.offen = mkContainer {
    image = "offen/offen";
    hostName = "offen";
    domain = terakoda;
    user = "${toString config.users.users.offen.uid}:${toString config.users.groups.offen.gid}";
    port = 80;
    volumes = [
      "${config.sops.templates."offen.env".path}:/etc/offen/offen.env:ro"
      "/tank/offen/data:/var/opt/offen"
    ];
    # TODO: When running with this option the service fails to start with errors:
    #   Unmounting /var/lib/containers/storage/overlay/{hash}/merged: invalid argument
    #   Error: mounting storage for container {hash}: creating overlay mount to {overlay info}
    # extraOptions = [
    #   "--uidmap=10000:${toString userIds.offen.uid}"
    #   "--gidmap=10001:${toString userIds.offen.gid}"
    # ];
  };
}