{ config, pkgs, ... }:
let
  domain = "sync.cloonar.com";
in {
  sops.secrets.firefox-sync = { };

  security.acme.certs."${domain}" = {
    group = "nginx";
  };

  containers."firefox-sync" = {
    autoStart = true;
    ephemeral = false; # because of ssh key
    privateNetwork = true;
    hostBridge = "server";
    hostAddress = "${config.networkPrefix}.97.1";
    localAddress = "${config.networkPrefix}.97.51/24";
    bindMounts = {
      "/run/secrets/firefox-sync" = {
        hostPath = "/run/secrets/firefox-sync";
        isReadOnly = true;
      };
      "/var/lib/acme/${domain}/" = {
        hostPath = "${config.security.acme.certs.${domain}.directory}";
        isReadOnly = true;
      };
    };
    config = { lib, config, pkgs, ... }: {
      networking = {
        hostName = "firefox-sync";
        useHostResolvConf = false;
        defaultGateway = {
          address = "${config.networkPrefix}.97.1";
          interface = "eth0";
        };
        firewall.enable = false;
        nameservers = [ "${config.networkPrefix}.97.1" ];
      };

      services.nginx.enable = true;
      services.nginx.virtualHosts."${domain}" = {
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        sslTrustedCertificate = "/var/lib/acme/${domain}/chain.pem";
        listen = [
          {
            addr = "0.0.0.0";
            ssl = true;
            port = 5000;
          }
        ];
        locations."/" = {
          proxyPass = "http://localhost:5001/";
          recommendedProxySettings = true;
        };
      };

      services.mysql.package = pkgs.mariadb;
      services.firefox-syncserver = {
        enable = true;
        singleNode = {
          enable = true;
          enableNginx = false;
          hostname = domain;
        };
        settings = {
          port = 5001;
          tokenserver.enable = true;
        };
        secrets = "/run/secrets/firefox-sync";
        logLevel = "trace";
      };

      services.openssh.enable = true;
      users.users.root.openssh.authorizedKeys.keys = [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
      ];

      system.stateVersion = "23.05";
    };
  };
}