{
  self,
  hostPath,
  tree,
  inputs,
  config,
  pkgs,
  lib,
  ...
}: let
  inherit (lib.modules) mkForce;

  containerName = "piped-fi";

  pipedSocketForComponent = (
    component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock"
  );
in {
  containers.piped-fi = {
    autoStart = true;
    privateNetwork = false;

    specialArgs = {
      inherit inputs;
      inherit tree;
      inherit self;
      inherit hostPath;
    };

    config = {...}: {
      nixpkgs.pkgs = pkgs;

      imports = with tree; [
        presets.nixos.containerBase

        profiles.nginx
        profiles.firewallAllow.httpCommon

        profiles.pipedCluster

        ./secrets.nix
      ];

      systemd.tmpfiles.rules = [
        "d /var/lib/cockroachdb-certs - root root"
      ];

      networking.firewall.enable = mkForce false;

      home-manager.users.root.home.stateVersion = "23.05";
      system.stateVersion = "23.05";
    };
  };

  services.nginx.virtualHosts."piped-fi.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://unix:${pipedSocketForComponent "frontend"}";
    };
  };

  services.nginx.virtualHosts."backend.piped-fi.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://unix:${pipedSocketForComponent "backend"}";
    };
  };

  services.nginx.virtualHosts."proxy.piped-fi.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://unix:${pipedSocketForComponent "proxy"}";
    };
  };
}