{
  tree,
  lib,
  inputs,
  ...
}: let
  container-addresses = import ../../data/container-addresses.nix {};
  hostIP = container-addresses.host;
  containerIP = container-addresses.containers.storage;

  # 32GB
  clientMaxBodySize = "${toString (8192 * 4)}M";

  ports = import ./data/ports.nix {};
in {
  containers.storage = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = hostIP;
    localAddress = containerIP;
    config = {
      config,
      pkgs,
      ...
    }: let
      secrets = config.services.secrets.secrets;
    in {
      _module.args = {
        inherit inputs;
        inherit tree;
      };

      imports = with tree;
        [
          profiles.base
          inputs.home-manager-unstable.nixosModules.home-manager

          profiles.sshd

          modules.nixos.rclone-serve
          modules.nixos.rclone-sync
          modules.nixos.secrets

          users.root
        ]
        ++ (with hosts.hetzner-vm.containers.storage; [
          profiles.secrets
          profiles.auto-secrets
          profiles.rclone-configs
          profiles.rclone-serve
          profiles.rclone-sync
          # doesn't work in container
          # profiles.storage-mount
          profiles.users
        ]);

      environment.systemPackages = with pkgs; [rclone];

      home-manager.users.root = {
        imports = with tree; [home.base home.dev.small];
        home.packages = with pkgs; [vault];
        home.stateVersion = "23.05";
      };

      networking.firewall = {
        enable = true;
        allowedTCPPorts = [22] ++ lib.mapAttrsToList (_name: value: value) ports;
      };

      # Manually configure nameserver. Using resolved inside the container seems to fail
      # currently
      environment.etc."resolv.conf".text = "nameserver 8.8.8.8";
      system.stateVersion = "23.05";
    };
  };

  services.nginx.virtualHosts."storage-webdav.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/Main/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_webdav_main}";
      "/Media/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_webdav_media}";
      "/MusicRO/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_webdav_music_ro}";
    };
    extraConfig = ''
      client_max_body_size ${clientMaxBodySize};
    '';
  };

  services.nginx.virtualHosts."storage-http.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/Music/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_http_music}";
      "/Public/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_http_public}";
    };
    extraConfig = ''
      client_max_body_size ${clientMaxBodySize};
    '';
  };

  services.nginx.virtualHosts."storage-restic.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/Music/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_music}";
      "/Vault/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_vault}";
      "/Social/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_social}";
      "/Quassel/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_quassel}";
      "/Piped/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped}";
      "/Mail/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_mail}";
    };
    extraConfig = ''
      client_max_body_size ${clientMaxBodySize};
    '';
  };
}