{
  tree,
  lib,
  inputs,
  pkgs,
  config,
  ...
}: let
  hostIP = "192.168.100.10";
  containerIP = "192.168.100.12";

  # Using secrets from Host
  secrets = config.services.secrets.secrets;
in {
  containers.matrix = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = hostIP;
    localAddress = containerIP;
    bindMounts = {
      "${secrets.matrix_restic_password.path}" = {
        hostPath = "${secrets.matrix_restic_password.path}";
      };
      "${secrets.matrix_restic_env.path}" = {
        hostPath = "${secrets.matrix_restic_env.path}";
      };
    };

    config = {
      config,
      pkgs,
      ...
    }: {
      _module.args = {
        inherit inputs;
        inherit tree;
        host_secrets = secrets;
      };

      imports = with tree;
        [
          profiles.base
          inputs.home-manager-unstable.nixosModules.home-manager

          profiles.sshd

          modules.nixos.secrets

          users.root
        ]
        ++ (with hosts.hetzner-vm.containers.matrix; [
          profiles.matrix
          profiles.restic
        ]);

      # For Shared Secrets
      systemd.tmpfiles.rules = [
        "d ${config.services.secrets.secretsDir} - root root"
      ];

      networking.firewall = {
        enable = true;
        allowedTCPPorts = [22 6167];
      };

      home-manager.users.root = {
        imports = with tree; [home.base home.dev.small];
        home.packages = with pkgs; [vault];
        home.stateVersion = "22.05";
      };

      # Manually configure nameserver. Using resolved inside the container seems to fail
      # currently
      environment.etc."resolv.conf".text = "nameserver 8.8.8.8";
      system.stateVersion = "22.05";
    };
  };

  services.nginx = {
    virtualHosts = {
      "matrix.owo.monster" = {
        forceSSL = true;
        enableACME = true;

        listen = [
          {
            addr = "0.0.0.0";
            port = 80;
            ssl = false;
          }
          {
            addr = "0.0.0.0";
            port = 443;
            ssl = true;
          }
          {
            addr = "0.0.0.0";
            port = 8448;
            ssl = true;
          }
        ];

        extraConfig = ''
          merge_slashes off;
        '';

        locations."/" = {
          root = pkgs.element-web;
        };

        locations."=/config.matrix.owo.monster.json" = {
          alias = let
            config = {
              default_server_config = {
                "m.homeserver" = {
                  "base_url" = "https://matrix.owo.monster";
                };
                "m.identity_server" = {
                  "base_url" = "https://vector.im";
                };
              };
              brand = "Element";
              bug_report_endpoint_url = "";
              default_country_code = "GB";
              default_federate = true;
              default_theme = "dark";
              disable_3pid_login = false;
              disable_custom_urls = false;
              disable_guests = false;
              disable_login_language_selector = false;
              jitsi.preferred_domain = "";
              element_call = {
                brand = "Element Call";
                participant_limit = 8;
                url = "";
              };
              enable_presence_by_hs_url = {
                "https://matrix-client.matrix.org" = false;
                "https://matrix.org" = false;
              };
              features = {};
              integrations_rest_url = "https://scalar.vector.im/api";
              integrations_ui_url = "https://scalar.vector.im/";
              integrations_widgets_urls = ["https://scalar.vector.im/_matrix/integrations/v1" "https://scalar.vector.im/api" "https://scalar-staging.vector.im/_matrix/integrations/v1" "https://scalar-staging.vector.im/api" "https://scalar-staging.riot.im/scalar/api"];
              map_style_url = "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx";
              room_directory = {servers = ["matrix.org"];};
              setting_defaults = {breadcrumbs = true;};
              show_labs_settings = false;
              uisi_autorageshake_app = "element-auto-uisi";
            };
          in
            pkgs.writeText "config.matrix.owo.monster.json" (builtins.toJSON config);
          extraConfig = ''
            default_type application/json;
          '';
        };

        locations."/_matrix/" = {
          proxyPass = "http://backend_conduit$request_uri";
          proxyWebsockets = true;
          extraConfig = ''
            proxy_set_header Host $host;
            proxy_buffering off;
          '';
        };

        locations."=/.well-known/matrix/server" = {
          alias = let
            config = {
              "m.server" = "matrix.owo.monster";
            };
          in
            pkgs.writeText "well-known-matrix-server" (builtins.toJSON config);

          extraConfig = ''
            default_type application/json;
          '';
        };

        locations."=/.well-known/matrix/client" = {
          alias = let
            config = {
              "m.homeserver" = {
                "base_url" = "https://matrix.owo.monster";
              };
              "m.identity_server" = {
                "base_url" = "https://vector.im";
              };
            };
          in
            pkgs.writeText "well-known-matrix-client" (builtins.toJSON config);

          extraConfig = ''
            default_type application/json;
            add_header Access-Control-Allow-Origin "*";
          '';
        };
      };
    };

    upstreams = {
      "backend_conduit" = {
        servers = {
          "${containerIP}:${toString 6167}" = {};
        };
      };
    };
  };
  networking.firewall.allowedTCPPorts = [80 443 8448];
  networking.firewall.allowedUDPPorts = [80 443 8448];
}