{ lib, config, proxyReverse, ... }:
let
  port = 8881;
  url = "tracker.${config.my.domain}";
in {
  options.my.servers.ryot.enable = lib.mkEnableOption "enable";
  config = lib.mkIf
    (config.my.servers.ryot.enable && config.my.servers.postgres.enable) {
      sops.secrets = {
        "ryot/twitch/id" = { };
        "ryot/twitch/secret" = { };
      };
      virtualisation.oci-containers = {
        backend = "docker";
        containers.ryot = {
          image = "ghcr.io/ignisda/ryot:v5.5.0";
          ports = [ "8765:8000" ];
          environment = {
            TZ = "America/Mexico_City";
            DATABASE_URL = "postgres:///ryot?host=${config.my.postgresSocket}";
            FRONTEND_INSECURE_COOKIES = "true";
            VIDEO_GAMES_TWITCH_CLIENT_ID =
              "cat ${config.sops.secrets."ryot/twitch/id".path}";
            VIDEO_GAMES_TWITCH_CLIENT_SECRET =
              "cat ${config.sops.secrets."ryot/twitch/secret".path}";
          };
          volumes =
            [ "${config.my.postgresSocket}:${config.my.postgresSocket}" ];
          labels = {
            "flame.type" = "application";
            "flame.name" = "Ryot";
            "flame.url" = url;
            "flame.icon" = "radar";
          };
        };
      };
      services.nginx = {
        enable = true;
        virtualHosts."tracker.${config.my.domain}" = proxyReverse port // { };
      };
    };
}