{ pkgs, config, python3Packages, ... }:
let
  domain = "snapcast.cloonar.com";
in
{
  security.acme.certs."${domain}" = {
    group = "nginx";
  };

  containers.snapcast = {
    autoStart = true;
    ephemeral = false; # because of ssh key
    privateNetwork = true;
    hostBridge = "server";
    hostAddress = "10.42.97.1";
    localAddress = "10.42.97.21/24";
    bindMounts = {
      "/var/lib/acme/snapcast/" = {
        hostPath = "${config.security.acme.certs.${domain}.directory}";
        isReadOnly = true;
      };
    };
    config = { lib, config, pkgs, python3Packages, ... }:
    let
      shairport-sync = pkgs.shairport-sync.overrideAttrs (_: {
        configureFlags = [
          "--with-alsa" "--with-pipe" "--with-pa" "--with-stdout"
          "--with-avahi" "--with-ssl=openssl" "--with-soxr"
          "--without-configfiles"
          "--sysconfdir=/etc"
          "--with-metadata"
        ];
      });
    in
    {
      networking = {
        hostName = "snapcast";
        useHostResolvConf = false;
        defaultGateway = {
          address = "10.42.96.1";
          interface = "eth0";
        };
        nameservers = [ "10.42.97.1" ];
        firewall.enable = false;
      };
      environment.etc = {
        # Creates /etc/nanorc
        shairport = {
          text = ''
            whatever you want to put in the file goes here.
            metadata =
            {
              enabled = "yes"; // set this to yes to get Shairport Sync to solicit metadata from the source and to pass it on via a pipe
              include_cover_art = "yes"; // set to "yes" to get Shairport Sync to solicit cover art from the source and pass it via the pipe. You must also set "enabled" to "yes".
              cover_art_cache_directory = "/tmp/shairport-sync/.cache/coverart"; // artwork will be  stored in this directory if the dbus or MPRIS interfaces are enabled or if the MQTT client is in use. Set it to "" to prevent caching, which may be useful on some systems
              pipe_name = "/tmp/shairport-sync-metadata";
              pipe_timeout = 5000; // wait for this number of milliseconds for a blocked pipe to unblock before giving up
            };
          '';

          # The UNIX file mode bits
          mode = "0440";
        };
      };

      services.snapserver = {
        enable = true;
        codec = "flac";
        http.docRoot = "${pkgs.snapcast}/share/snapserver/snapweb";
        streams.mopidy  = {
          type = "pipe";
          location = "/run/snapserver/mopidy";
        };
        streams.airplay = {
          type = "airplay";
          location = "${shairport-sync}/bin/shairport-sync";
          query = {
            devicename = "Multi Room New";
            port = "5000";
            params = "--mdns=avahi";
          };
        };
        streams.mixed = {
          type = "meta";
          location = "/airplay/mopidy";
        };
      };

      services.avahi.enable = true;
      services.avahi.publish.enable = true;
      services.avahi.publish.userServices = true;

      services.nginx.virtualHosts."snapcast.cloonar.com" = {
        sslCertificate = "/var/lib/acme/snapcast/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/snapcast/key.pem";
        sslTrustedCertificate = "/var/lib/acme/snapcast/chain.pem";
        forceSSL = true;
        extraConfig = ''
          proxy_buffering off;
        '';
        locations."/".extraConfig = ''
          proxy_pass http://127.0.0.1:1780;
          proxy_set_header Host $host;
          proxy_redirect http:// https://;
          proxy_http_version 1.1;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $connection_upgrade;
        '';
      };

      system.stateVersion = "23.05";
    };
  };
}