{ lib, config, proxyReverse, ... }:
let
  port = 42010;
  url = "maloja.${config.my.domain}";
in {
  options.my.servers.maloja.enable = lib.mkEnableOption "enable";
  config = lib.mkIf config.my.servers.maloja.enable {
    sops.secrets."maloja/password" = { };
    virtualisation.oci-containers = {
      backend = "docker";
      containers.maloja = {
        image = "krateng/maloja";
        ports = [ "${toString port}:${toString port}" ];
        environment = {
          TZ = "America/Mexico_City";
          MALOJA_TIMEZONE = "-6";
          PUID = "1000";
          PGID = "100";
          MALOJA_DATA_DIRECTORY = "/mljdata";
          MALOJA_SKIP_SETUP = "true";
          MALOJA_FORCE_PASSWORD =
            "cat ${config.sops.secrets."maloja/password".path}";
        };
        volumes = [ "${config.my.containerData}/maloja:/mljdata" ];
        labels = {
          "flame.type" = "application";
          "flame.name" = "Maloja";
          "flame.url" = url;
          "flame.icon" = "bookmark-music";
        };
      };
    };
    services.nginx = {
      enable = true;
      virtualHosts."${url}" = proxyReverse port // { };
    };
  };
}