{
  lib,
  config,
  proxyReverse,
  setup,
  ...
}:
let
  cfg = config.my.servers.maloja;
in
{
  options.my.servers.maloja = setup.mkOptions "maloja" "maloja" 42010;
  config = {
    networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
    sops.secrets = lib.mkIf cfg.enable { maloja.sopsFile = ../../secrets/env.yaml; };
    virtualisation.oci-containers.containers.maloja = lib.mkIf cfg.enable {
      image = "krateng/maloja:latest";
      ports = [ "${toString cfg.port}:${toString cfg.port}" ];
      environmentFiles = [ config.sops.secrets.maloja.path ];
      environment = {
        TZ = config.my.timeZone;
        MALOJA_TIMEZONE = "-6";
        PUID = "1000";
        PGID = "100";
        MALOJA_DATA_DIRECTORY = "/mljdata";
        MALOJA_SKIP_SETUP = "true";
      };
      volumes = [ "${config.my.containerData}/maloja:/mljdata" ];
      labels = {
        "flame.type" = "application";
        "flame.name" = "Maloja";
        "flame.url" = cfg.url;
        "flame.icon" = "bookmark-music";
      };
    };
    services.nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy (
      proxyReverse cfg.hostName cfg.port // { }
    );
  };
}