{ config, pkgs, ... }:
{
  containers.ttrss = {
    config = {
      users.extraUsers.ttrss = {};
      users.extraGroups.ttrss = {};

      services.postgresql = {
        enable = true;
        package = pkgs.postgresql95;
        initialScript = pkgs.writeText "ttrss-init.sql" ''
          create database ttrss;
          create user ttrss with password 'ttrss';
          grant all privileges on database ttrss to ttrss;
        '';
      };

      services.tt-rss = {
        enable = true;
        user = "ttrss";

        pool = "ttrss";
        virtualHost = null;

        database = {
          type = "pgsql";
          host = "localhost";
          name = "ttrss";
          user = "ttrss";
          password = "ttrss";
        };

        selfUrlPath = "https://reader.gebner.org/";
      };

      services.phpfpm = {
        pools = {
          ttrss = {
            user = "ttrss";
            group = "ttrss";
            settings = {
              listen = "9000";
              pm = "dynamic";
              "pm.max_children" = 75;
              "pm.start_servers" = 10;
              "pm.min_spare_servers" = 5;
              "pm.max_spare_servers" = 20;
              "pm.max_requests" = 500;
              catch_workers_output = 1;
            };
          };
        };
      };

      networking.firewall.allowedTCPPorts = [ 9000 ];
    };

    autoStart = true;
    hostAddress = "192.168.100.10";
    localAddress = "192.168.100.11";
    privateNetwork = true;
  };

  networking.nat.enable = true;
  networking.nat.internalInterfaces = ["ve-+"];
  networking.nat.externalInterface = "ens3";

  security.acme.certs."gebner.org".extraDomainNames = [ "reader.gebner.org" ];

  services.nginx = {
    virtualHosts."reader.gebner.org" = {
      forceSSL = true;
      useACMEHost = "gebner.org";
      locations."/" = {
        root = "/var/lib/containers/ttrss/var/lib/tt-rss";
        index = "index.php";
      };
      locations."/cache".extraConfig = "deny all;";
      locations."= /config.php".extraConfig = "deny all;";
      locations."~ \\.php$".extraConfig = ''
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 192.168.100.11:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /var/lib/tt-rss/$fastcgi_script_name;
        include ${pkgs.nginx}/conf/fastcgi_params;
      '';
    };
  };

}