{ config, pkgs, ... }: {
  users.users.omada = {
    isSystemUser = true;
    group = "omada";
    home = "/var/lib/omada";
    createHome = true;
  };
  users.groups.omada = { };
  users.groups.docker.members = [ "omada" ];

  # TODO: check if we can run docker service as other user than root
  virtualisation = {
    oci-containers.containers = {
      omada = {
        image = "mbentley/omada-controller:5.9";
        volumes = [
          "/var/lib/omada/data:/opt/tplink/EAPController/data"
          "/var/lib/omada/logs:/opt/tplink/EAPController/logs"
        ];
        extraOptions = [
          "--ip=10.42.97.3"
          "--network=server"
        ];
      };
    };
  };

  # security.acme.certs."${domain}" = {
  #   domain = "${domain}";
  # };

  # containers.omada = {
  #   autoStart = true;
  #   ephemeral = true;
  #   macvlans = [ "vserver" ];
  #   bindMounts = {
  #     "/var/lib/gitea" = {
  #       hostPath = "/var/lib/gitea/";
  #       isReadOnly = false;
  #     };
  #   };
  #   bindMounts = {
  #     "/var/lib/acme/gitea/" = {
  #       hostPath = "${config.security.acme.certs.${domain}.directory}";
  #       isReadOnly = true;
  #     };
  #   };
  #   config = { lib, config, pkgs, ... }: {
  #     networking = {
  #       hostName = "gitea";
  #       interfaces.mv-vserver = {
  #         useDHCP = true;
  #       };
  #       firewall = {
  #         enable = true;
  #         allowedTCPPorts = [ 22 80 443 ];
  #       };
  #     };
  #   };
  # };
}