{
  self,
  hostPath,
  tree,
  lib,
  inputs,
  pkgs,
  config,
  ...
}: let
  inherit (lib.modules) mkMerge;
  inherit (lib.lists) forEach;

  containerName = "music";

  containerAddresses = import "${hostPath}/data/containerAddresses.nix";

  hostIP = containerAddresses.host;
  containerIP = containerAddresses.containers.${containerName};

  ports = import ./data/ports.nix;

  # these secrets should probs be in host but im lazy
  containerSecrets = config.containers.${containerName}.config.services.secrets.secrets;
  pathInContainer = path: "/var/lib/nixos-containers/${containerName}" + path;
in {
  nixpkgs.overlays = [
    (final: _prev: {
      mpd = final.mpd-headless;
    })
  ];

  containers.music = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = hostIP;
    localAddress = containerIP;

    specialArgs = {
      inherit inputs;
      inherit tree;
      inherit self;
      inherit hostPath;
    };

    bindMounts = {
      "/dev/fuse" = {
        hostPath = "/dev/fuse";
        isReadOnly = false;
      };
    };

    allowedDevices = [
      {
        modifier = "rwm";
        node = "/dev/fuse";
      }
      {
        modifier = "rwm";
        node = "/dev/mapper/control";
      }
    ];

    config = {...}: {
      nixpkgs.pkgs = pkgs;

      imports = with tree;
        [
          presets.nixos.containerBase

          profiles.nginx
          profiles.firewallAllow.httpCommon

          ./secrets.nix
        ]
        ++ (with hosts.hetzner-arm.containers.music.profiles; [
          mpd
          #musicMount
        ]);

      home-manager.users.root.imports = with tree; [home.apps.musicutil];

      networking.firewall.allowedTCPPorts = with ports; [
        mpd
        mpd-opus-low
        mpd-opus-medium
        mpd-opus-high
        mpd-flac
      ];

      home-manager.users.root.home.stateVersion = "23.05";
      system.stateVersion = "23.05";
    };
  };

  services.nginx.virtualHosts."mpd.owo.monster" = let
    extraConfig = ''
      auth_basic "Music Password";
      auth_basic_user_file ${pathInContainer containerSecrets.music_stream_passwd.path};
    '';
  in {
    forceSSL = true;
    enableACME = true;
    locations = mkMerge [
      {
        "/flac" = {
          proxyPass = "http://${containerIP}:${toString ports.mpd-flac}";
          inherit extraConfig;
        };
      }
      (mkMerge (forEach ["low" "medium" "high"] (quality: {
        "/opus-${quality}" = {
          proxyPass = "http://${containerIP}:${toString ports."mpd-opus-${quality}"}";
          inherit extraConfig;
        };
      })))
    ];
  };

  networking = {
    nat.forwardPorts = [
      {
        sourcePort = ports.mpd;
        destination = "${containerIP}\:${toString ports.mpd}";
      }
    ];

    firewall.allowedTCPPorts = with ports; [
      mpd
    ];
  };
}