config:
let
  havenisms = "havenisms.com";
  blazestar = "blazestar.net";
  terakoda = "terakoda.com";
  terakoda_net = "terakoda.net";
  hostRule = host: domain: "Host(`${host}.${domain}`)";
  hostRuleHavenisms = host: hostRule host havenisms;
  localNet = "192.168.0.0/16";
  dockerNet = "10.88.0.0/16";
  localNetRule = "(ClientIP(`${localNet}`) || ClientIP(`${dockerNet}`))";
  localHostRule = host: domain: "${localNetRule} && ${hostRule host domain}";
  localHostRuleHavenisms = host: localHostRule host havenisms;
in
{
  inherit
    hostRule
    localHostRule
    hostRuleHavenisms
    localHostRuleHavenisms
    havenisms
    blazestar
    terakoda
    terakoda_net;

  mkContainer = {
    image,
    hostName,
    port,
    homepageOpts ? {},
    dependsOn ? [],
    domain ? havenisms,
    ports ? [],
    volumes ? [],
    environment ? {},
    environmentFiles ? [],
    public ? false,
    user ? null,
  }:
    let
      routerRule = if public then hostRule hostName domain else localHostRule hostName domain;
      homepageLabels = if homepageOpts == {} then {} else {
        "homepage.group" = "${homepageOpts.group}";
        "homepage.name" = "${homepageOpts.name}";
        "homepage.icon" = "${homepageOpts.icon}";
        "homepage.href" = "https://${hostName}.${domain}";
        "homepage.description" = "${homepageOpts.description}";
      };
    in
    {
      inherit image dependsOn volumes environment environmentFiles ports user;
      autoStart = true;
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.${hostName}.rule" = "${routerRule}";
        "traefik.http.services.${hostName}.loadbalancer.server.port" = "${toString port}";
      } // homepageLabels;
    };

  # Creates a MariaDB container for a specific app. It should be safe to give
  # it the same UID and GID as the app it is made for. The contaner will be
  # named `${name}-mariadb`.  The database name is the same as the database
  # user.
  #
  # Note that this returns a _module_ so that it can be imported and provide many different config values.
  mkMariaDbContainer = {
    name,
    uid,
    gid,
    passwordSecret,
    directory,
  }:
  { config, ... }:
  {
    virtualisation.oci-containers.containers."${name}-mariadb" = {
      image = "lscr.io/linuxserver/mariadb:latest";
      autoStart = true;
      ports = [ "3306:3306" ];
      volumes = [
        "${directory}:/config"
        "${config.sops.secrets.mariadb_root_password.path}:/run/secrets/mariadb_root_password"
        "${config.sops.secrets."${passwordSecret}".path}:/run/secrets/mariadb_password"
      ];
      environment = {
        PUID = "${toString uid}";
        PGID = "${toString gid}";
        MYSQL_USER = name;
        MYSQL_DATABASE = name;
        FILE__MYSQL_ROOT_PASSWORD = "/run/secrets/mariadb_root_password";
        FILE__MYSQL_PASSWORD = "/run/secrets/mariadb_password";
      };
    };
  };

  mkPostgresContainer = {
    name,
    uid,
    gid,
    passwordSecret,
    directory,
    containerName ? "${name}-postgres",
    databaseName ? name,
    username ? name,
  }: { config, ... }: {
    virtualisation.oci-containers.containers."${containerName}" = {
      image = "postgres";
      autoStart = true;
      volumes = [
        # Note that data must be mounted at this location to persist.
        # See https://github.com/docker-library/docs/blob/master/postgres/README.md#pgdata
        "${directory}:/var/lib/postgresql/data"
        "${config.sops.secrets."${passwordSecret}".path}:/run/secrets/postgres_password"
      ];
      user = "${toString uid}:${toString gid}";
      environment = {
        POSTGRES_USER = username;
        POSTGRES_DB = databaseName;
        POSTGRES_PASSWORD_FILE = "/run/secrets/postgres_password";
      };
    };
  };
}