{
  self,
  hostPath,
  tree,
  lib,
  inputs,
  pkgs,
  config,
  ...
}: let
  inherit (lib.modules) mkMerge;
  inherit (lib.lists) forEach;

  containerName = "music";

  containerAddresses = import "${hostPath}/data/containerAddresses.nix";

  hostIP = containerAddresses.host;
  containerIP = containerAddresses.containers.${containerName};

  ports = import ./data/ports.nix;

  # these secrets should probs be in host but im lazy
  containerSecrets = config.containers.${containerName}.config.services.secrets.secrets;
  pathInContainer = path: "/var/lib/nixos-containers/${containerName}" + path;
in {
  containers.music = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = hostIP;
    localAddress = containerIP;

    specialArgs = {
      inherit inputs;
      inherit tree;
      inherit self;
      inherit hostPath;
    };

    config = {...}: {
      nixpkgs.pkgs = pkgs;

      imports = with tree;
        [
          presets.nixos.containerBase
          profiles.sshd
          profiles.firewallAllow.ssh

          profiles.nginx
          profiles.firewallAllow.httpCommon

          ./secrets.nix
        ]
        ++ (with hosts.hetzner-arm.containers.music; [
          profiles.mpd
          profiles.musicSync
          profiles.soulseek
        ]);

      networking.firewall.allowedTCPPorts = with ports; [
        mpd
        mpd-opus-low
        mpd-opus-medium
        mpd-opus-high
        mpd-flac
        slskd
        slskd-web
      ];

      home-manager.users.root.home.stateVersion = "23.05";
      system.stateVersion = "23.05";
    };
  };

  services.nginx.virtualHosts."soulseek.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://${containerIP}:${toString ports.slskd-web}";
      proxyWebsockets = true;
    };
  };

  services.nginx.virtualHosts."stream.owo.monster" = let
    extraConfig = ''
      auth_basic "Music Password";
      auth_basic_user_file ${pathInContainer containerSecrets.music_stream_passwd.path};
    '';
  in {
    forceSSL = true;
    enableACME = true;
    locations = mkMerge ([
        {
          "/mpd/flac" = {
            proxyPass = "http://${containerIP}:${toString ports.mpd-flac}";
            inherit extraConfig;
          };
        }
      ]
      ++ (forEach ["low" "medium" "high"] (quality: {
        "/mpd/opus-${quality}" = {
          proxyPass = "http://${containerIP}:${toString ports."mpd-opus-${quality}"}";
          inherit extraConfig;
        };
      })));
  };

  networking = {
    nat.forwardPorts = [
      {
        sourcePort = ports.mpd;
        destination = "${containerIP}\:${toString ports.mpd}";
      }
      {
        sourcePort = ports.slskd;
        destination = "${containerIP}\:${toString ports.slskd}";
      }
    ];

    firewall.allowedTCPPorts = with ports; [
      mpd
      slskd
    ];
  };
}