{config, ...}: let
  ghcrLogin = {
    registry = "ghcr.io";
    username = "nekowinston";
    passwordFile = config.age.secrets."containers/ghcr-token".path;
  };
  websitePort = "14139";
in {
  virtualisation = {
    podman = {
      enable = true;
      autoPrune = {
        enable = true;
        dates = "03:30";
      };
    };

    oci-containers = {
      backend = "podman";

      containers = {
        faerber-bot = {
          image = "ghcr.io/nekowinston/faerber/faerber-discord-bot:latest";
          environmentFiles = [config.age.secrets."containers/faerber.env".path];
          extraOptions = ["--label=\"io.containers.autoupdate=registry\""];
        };

        pepperjack = {
          image = "ghcr.io/phasecorex/red-discordbot:latest";
          environment = {
            TOKEN = "~";
            OWNER = "505490445468696576";
          };
          environmentFiles = [config.age.secrets."containers/pepperjack.env".path];
          volumes = ["/srv/data-pepperjack:/data"];
          extraOptions = ["--label=\"io.containers.autoupdate=registry\""];
        };

        website = {
          image = "ghcr.io/nekowinston/winston.sh/winston-sh:latest";
          login = ghcrLogin;
          ports = ["127.0.0.1:${websitePort}:3000"];
          extraOptions = ["--label=\"io.containers.autoupdate=registry\""];
        };
      };
    };
  };

  services.nginx.virtualHosts."winston.sh" = {
    locations."/".proxyPass = "http://127.0.0.1:${websitePort}";
    forceSSL = true;

    enableACME = false;
    useACMEHost = "winston.sh";
  };
}