{ config, pkgs, ... }:
{
  containers.ttrss = {
    config = {
      users.extraUsers.ttrss = {};

      services.postgresql = {
        enable = true;
        package = pkgs.postgresql95;
        initialScript = pkgs.writeText "ttrss-init.sql" ''
          create database ttrss;
          create user ttrss with password 'ttrss';
          grant all privileges on database ttrss to ttrss;
        '';
      };

      services.tt-rss = {
        enable = true;
        user = "ttrss";

        pool = "ttrss";

        database = {
          type = "pgsql";
          host = "localhost";
          name = "ttrss";
          user = "ttrss";
          password = "ttrss";
        };

        selfUrlPath = "https://reader.gebner.org/";
      };

      services.phpfpm = {
        extraConfig = ''
          error_log = /var/log/phpfpm.log
          log_level = notice
        '';

        poolConfigs = {
          ttrss = ''
              listen = 9000
              user = ttrss
              pm = dynamic
              pm.max_children = 75
              pm.start_servers = 10
              pm.min_spare_servers = 5
              pm.max_spare_servers = 20
              pm.max_requests = 500
              catch_workers_output = 1
          '';
        };
      };

      networking.firewall.allowedTCPPorts = [ 9000 ];
    };

    autoStart = true;
    hostAddress = "192.168.100.10";
    localAddress = "192.168.100.11";
    privateNetwork = true;
  };

  networking.nat.enable = true;
  networking.nat.internalInterfaces = ["ve-+"];
  networking.nat.externalInterface = "eth0";

  security.acme.certs."gebner.org".extraDomains."reader.gebner.org" = null;

  services.nginx.httpConfig = ''
    server {
      listen [::]:80;
      listen 80;
      server_name reader.gebner.org;

      location /.well-known/acme-challenge {
        default_type text/plain;
        alias /var/lib/acme/www/.well-known/acme-challenge;
      }

      location / {
        rewrite ^(.*) https://$host$1 permanent;
      }
    }

    server {
      listen [::]:443;
      listen 443;
      server_name reader.gebner.org;

      ssl on;
      ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
      ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
      ssl_dhparam /etc/nginx/dhparam.pem;
      ssl_protocols TLSv1.1 TLSv1.2;
      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
      ssl_prefer_server_ciphers on;
      add_header Strict-Transport-Security max-age=15768000;
      ssl_stapling on;
      ssl_stapling_verify on;

      location / {
        root /var/lib/containers/ttrss/var/lib/tt-rss;
        index index.php;
      }

      location /cache {
        deny all;
      }
      location = /config.php {
        deny all;
      }

      location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 192.168.100.11:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /var/lib/tt-rss/$fastcgi_script_name;
        include ${pkgs.nginx}/conf/fastcgi_params;
      }
    }
  '';
}