{
  self,
  hostPath,
  tree,
  lib,
  inputs,
  config,
  pkgs,
  ...
}: let
  containerAddresses = import "${hostPath}/data/containerAddresses.nix";

  hostIP = containerAddresses.host;
  containerIP = containerAddresses.containers.${containerName};

  containerName = "piped";
  containerConfig = config.containers.${containerName}.config;

  containerLib = import "${self}/lib/containerLib.nix" {
    inherit lib;
  };

  # Using secrets from Host
  secrets = config.services.secrets.secrets;
  secretsList = [
    "piped_finland_restic_env"
    "piped_finland_restic_password"
    {
      name = "piped_cockroachdb_ca_certificate";
      path = "/var/lib/cockroachdb-certs/ca.crt";
    }
    {
      name = "piped_cockroachdb_node_certificate";
      path = "/var/lib/cockroachdb-certs/node.crt";
    }
    {
      name = "piped_cockroachdb_node_key";
      path = "/var/lib/cockroachdb-certs/node.key";
    }
  ];

  pipedSocketForComponent = (
    component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock"
  );
in {
  containers.piped = {
    autoStart = true;
    privateNetwork = false;
    hostAddress = hostIP;
    localAddress = containerIP;
    bindMounts = containerLib.genBindHostsForSecrets secrets secretsList;

    specialArgs = {
      inherit inputs;
      inherit tree;
      inherit self;
      inherit hostPath;
      hostSecrets = secrets;
    };

    config = {config, ...}: {
      nixpkgs.pkgs = pkgs;

      imports = with tree;
        [
          presets.nixos.containerBase

          profiles.nginx
          profiles.firewallAllow.httpCommon
        ]
        ++ (with hosts.hetzner-vm.containers.piped.profiles; [
          piped
          restic
          cockroachDB
        ]);

      # For Shared Secrets
      systemd.tmpfiles.rules = [
        "d ${config.services.secrets.secretsDir} - root root"
      ];

      home-manager.users.root.home.stateVersion = "23.05";
      system.stateVersion = "23.05";
    };
  };

  # Create this directory outside the container so the bind mounts work
  systemd.tmpfiles.rules = [
    "d /var/lib/nixos-containers/${containerName}/var/lib/cockroachdb-certs - root root"
  ];

  users.users."cockroachdb-piped" = {
    uid = containerConfig.users.users.cockroachdb.uid;
    group = "cockroachdb-piped";
  };
  users.groups."cockroachdb-piped" = {
    gid = containerConfig.users.groups.cockroachdb.gid;
  };

  services.nginx.virtualHosts."piped-fi.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://unix:${pipedSocketForComponent "frontend"}";
    };
  };

  services.nginx.virtualHosts."backend.piped-fi.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://unix:${pipedSocketForComponent "backend"}";
    };
  };

  services.nginx.virtualHosts."proxy.piped-fi.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://unix:${pipedSocketForComponent "proxy"}";
      extraConfig = config.services.piped.proxyNginxExtraConfig;
    };
  };
}