{ config, pkgs, ... }: {
  users.users.omada = {
    isSystemUser = true;
    group = "omada";
    home = "/var/lib/omada";
    createHome = true;
  };
  users.groups.omada = { };
  users.groups.docker.members = [ "omada" ];

  # TODO: check if we can run docker service as other user than root
  virtualisation = {
    oci-containers.containers = {
      omada = {
        image = "mbentley/omada-controller:5.9";
        volumes = [
          "/var/lib/omada/data:/opt/tplink/EAPController/data"
          "/var/lib/omada/logs:/opt/tplink/EAPController/logs"
        ];
        extraOptions = [
          "--ip=10.42.97.2"
        ];
      };
    };
  };

  security.acme.certs."${domain}" = {
    domain = "${domain}";
  };

  containers.omada = {
    autoStart = true;
    ephemeral = true;
    macvlans = [ "vserver" ];
    bindMounts = {
      "/var/lib/gitea" = {
        hostPath = "/var/lib/gitea/";
        isReadOnly = false;
      };
    };
    bindMounts = {
      "/var/lib/acme/gitea/" = {
        hostPath = "${config.security.acme.certs.${domain}.directory}";
        isReadOnly = true;
      };
    };
    config = { lib, config, pkgs, ... }: {
      networking = {
        hostName = "gitea";
        interfaces.mv-vserver = {
          useDHCP = true;
        };
        firewall = {
          enable = true;
          allowedTCPPorts = [ 22 80 443 ];
        };
      };
    };
  };
}