{ config, pkgs, ... }:

let 
  UID = 1128;
in {
  users.users.picard = {
    isNormalUser = true;
    uid = UID;
    extraGroups = [ "geesefs" ];
  };

  virtualisation.oci-containers.containers.picard = {
    image = "mikenye/picard:2.12.3";
    environment = {
      USER_ID = builtins.toString UID;
      GROUP_ID = builtins.toString config.users.groups.geesefs.gid;
      TZ = "Europe/Moscow";
      KEEP_APP_RUNNING = "1";
      WEB_AUDIO = "1";
      # ENABLE_CJK_FONT = "1";
    };
    extraOptions = [
      "--mount=type=bind,source=/mnt/s3-desu-priv-encrypted/music,target=/storage/s3"
      "--mount=type=bind,source=/srv/picard,target=/config"
    ];
  };
  systemd.services.docker-picard.requires = [ "gocryptfs.service" ];

  systemd.tmpfiles.rules = [
    "d /srv/picard 0700 ${builtins.toString UID} ${builtins.toString UID} -"
  ];

  services.nginx.virtualHosts."picard.stupid.fish" = {
    forceSSL = true;
    useACMEHost = "stupid.fish";
    extraConfig = ''
      allow 10.0.0.0/8;
      deny all;
    '';

    locations."/" = {
      proxyPass = "http://picard.docker:5800$request_uri";
    };
  };
}