{
  self,
  hostPath,
  tree,
  lib,
  inputs,
  config,
  pkgs,
  ...
}: let
  inherit (lib.modules) mkMerge;
  inherit (lib.lists) forEach;

  containerAddresses = import "${hostPath}/data/containerAddresses.nix";

  hostIP = containerAddresses.host;
  containerIP = containerAddresses.containers.${containerName};

  containerName = "music";
  containerConfig = config.containers.${containerName}.config;

  containerLib = import "${self}/lib/containerLib.nix" {
    inherit lib;
  };

  # Using secrets from Host
  secrets = config.services.secrets.secrets;
  secretsList = [
    "mpd_control_password"
    "slskd_env"
  ];

  ports = import ./data/ports.nix;
in {
  containers.music = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = hostIP;
    localAddress = containerIP;
    bindMounts = containerLib.genBindHostsForSecrets secrets secretsList;

    specialArgs = {
      inherit inputs;
      inherit tree;
      inherit self;
      inherit hostPath;
      hostSecrets = secrets;
    };

    config = {config, ...}: {
      nixpkgs.pkgs = pkgs;

      imports = with tree;
        [
          presets.nixos.containerBase
          profiles.sshd
          profiles.firewallAllow.ssh

          profiles.nginx
          profiles.firewallAllow.httpCommon
        ]
        ++ (with hosts.hetzner-vm.containers.music; [
          profiles.mpd
          profiles.musicSync
          profiles.soulseek
        ]);

      networking.firewall.allowedTCPPorts = with ports; [
        mpd
        mpd-opus-low
        mpd-opus-medium
        mpd-opus-high
        mpd-flac
        slskd
        slskd-web
      ];

      # For Shared Secrets
      systemd.tmpfiles.rules = [
        "d ${config.services.secrets.secretsDir} - root root"
      ];

      home-manager.users.root.home.stateVersion = "23.05";
      system.stateVersion = "23.05";
    };
  };

  services.nginx.virtualHosts."soulseek.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://${containerIP}:${toString ports.slskd-web}";
      proxyWebsockets = true;
    };
  };

  services.nginx.virtualHosts."stream.owo.monster" = let
    extraConfig = ''
      auth_basic "Music Password";
      auth_basic_user_file ${secrets.music_stream_passwd.path};
    '';
  in {
    forceSSL = true;
    enableACME = true;
    locations = mkMerge ([
        {
          "/mpd/flac" = {
            proxyPass = "http://${containerIP}:${toString ports.mpd-flac}";
            inherit extraConfig;
          };
        }
      ]
      ++ (forEach ["low" "medium" "high"] (quality: {
        "/mpd/opus-${quality}" = {
          proxyPass = "http://${containerIP}:${toString ports."mpd-opus-${quality}"}";
          inherit extraConfig;
        };
      })));
  };

  # For permissions of secrets
  users.users."mpd" = {
    uid = containerConfig.ids.uids.mpd;
    group = "mpd";
  };
  users.groups."mpd" = {
    gid = containerConfig.ids.gids.mpd;
  };

  networking = {
    nat.forwardPorts = [
      {
        sourcePort = ports.mpd;
        destination = "${containerIP}\:${toString ports.mpd}";
      }
      {
        sourcePort = ports.slskd;
        destination = "${containerIP}\:${toString ports.slskd}";
      }
    ];

    firewall.allowedTCPPorts = with ports; [
      mpd
      slskd
    ];
  };
}