{
  lib,
  config,
  proxyReverse,
  ...
}:
let
  port = 8765;
  url = "tracker.${config.my.domain}";
in
{
  options.my.servers.ryot.enable = lib.mkEnableOption "enable";
  config = lib.mkIf (config.my.servers.ryot.enable && config.my.servers.postgres.enable) {
    sops.secrets.ryot.sopsFile = ../../secrets/env.yaml;
    virtualisation.oci-containers.containers.ryot = {
      image = "ghcr.io/ignisda/ryot:v7.0.0";
      ports = [ "${toString port}:8000" ];
      environmentFiles = [ config.sops.secrets.ryot.path ];
      environment = {
        RUST_LOG = "ryot=debug,sea_orm=debug";
        TZ = "America/Mexico_City";
        DATABASE_URL = "postgres:///ryot?host=${config.my.postgresSocket}";
        FRONTEND_INSECURE_COOKIES = "true";
      };
      volumes = [ "${config.my.postgresSocket}:${config.my.postgresSocket}" ];
      labels = {
        "flame.type" = "application";
        "flame.name" = "Ryot";
        "flame.url" = url;
        "flame.icon" = "radar";
      };
    };
    services.nginx.virtualHosts."tracker.${config.my.domain}" = proxyReverse port // { };
  };
}