{
  self,
  hostPath,
  tree,
  inputs,
  config,
  pkgs,
  ...
}: let
  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
  hostIP = containerAddresses.host;
  containerIP = containerAddresses.containers.rss;
in {
  containers.rss = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = hostIP;
    localAddress = containerIP;

    specialArgs = {
      inherit inputs;
      inherit tree;
      inherit self;
      inherit hostPath;
    };

    config = {...}: {
      nixpkgs.pkgs = pkgs;

      imports = with tree;
        [
          presets.nixos.containerBase
          ./secrets.nix
        ]
        ++ (with hosts.hetzner-arm.containers.rss.profiles; [
          freshrss
          restic
        ]);

      networking.firewall.allowedTCPPorts = [80];

      home-manager.users.root.home.stateVersion = "23.05";
      system.stateVersion = "23.05";
    };
  };

  services.nginx = {
    enable = true;
    virtualHosts."freshrss.owo.monster" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://${containerIP}:80/";
        extraConfig = ''
          add_header X-Frame-Options SAMEORIGIN;
          add_header X-XSS-Protection "1; mode=block";
          proxy_redirect off;
          proxy_buffering off;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header X-Forwarded-Port $server_port;
          proxy_read_timeout 90;

          # Forward the Authorization header for the Google Reader API.
          proxy_set_header Authorization $http_authorization;
          proxy_pass_header Authorization;
        '';
      };
    };
  };
}