{ config, pkgs, ... }:
let
  domain = "sync.cloonar.com";
  networkPrefix = config.networkPrefix;
in {
  sops.secrets.firefox-sync = { };

  security.acme.certs."${domain}" = {
    group = "nginx";
  };

  containers."firefox-sync" = {
    autoStart = true;
    ephemeral = false; # because of ssh key
    privateNetwork = true;
    hostBridge = "server";
    hostAddress = "${config.networkPrefix}.97.1";
    localAddress = "${config.networkPrefix}.97.6/24";
    bindMounts = {
      "/run/secrets/firefox-sync" = {
        hostPath = "/run/secrets/firefox-sync";
        isReadOnly = true;
      };
    };
    config = { lib, config, pkgs, ... }: {
      networking = {
        hostName = "firefox-sync";
        useHostResolvConf = false;
        defaultGateway = {
          address = "${networkPrefix}.97.1";
          interface = "eth0";
        };
        nameservers = [ "${networkPrefix}.97.1" ];
      };

      services.mysql.package = pkgs.mariadb;
      services.firefox-syncserver = {
        enable = true;
        singleNode = {
          enable = true;
          hostname = domain;
          url = "https://${domain}";
        };
        settings = {
          tokenserver.enable = true;
        };
        secrets = "/run/secrets/firefox-sync";
        logLevel = "trace";
      };

      services.nginx = {
        enable = true;
        virtualHosts."${domain}" = {
          forceSSL = false;
          enableACME = false;
          locations."/" = {
            proxyPass = "http://localhost:5000/";
          };
        };
      };

      networking.firewall = {
        enable = true;
        allowedTCPPorts = [ 80 443 ];
      };

      system.stateVersion = "23.05";
    };
  };
}