{
  self,
  hostPath,
  tree,
  inputs,
  config,
  pkgs,
  ...
}: let
  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
  hostIP = containerAddresses.host;
  containerIP = containerAddresses.containers.social;

  # Using secrets from Host
  secrets = config.services.secrets.secrets;
in {
  containers.social = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = hostIP;
    localAddress = containerIP;
    bindMounts = {
      "${secrets.social_restic_password.path}" = {
        hostPath = "${secrets.social_restic_password.path}";
      };
      "${secrets.social_restic_env.path}" = {
        hostPath = "${secrets.social_restic_env.path}";
      };
      "${secrets.social_env_secrets.path}" = {
        hostPath = "${secrets.social_env_secrets.path}";
      };
    };

    specialArgs = {
      inherit inputs;
      inherit tree;
      inherit self;
      inherit hostPath;
      hostSecrets = secrets;
    };

    config = {config, ...}: {
      nixpkgs.pkgs = pkgs;

      imports = with tree;
        [
          profiles.base
          inputs.home-manager-unstable.nixosModules.home-manager

          profiles.sshd

          modules.nixos.secrets

          users.root
        ]
        ++ (with hosts.hetzner-vm.containers.social; [
          profiles.gotosocial
          profiles.backups
        ]);

      environment.systemPackages = with pkgs; [
        rclone
        restic
      ];

      # For Shared Secrets
      systemd.tmpfiles.rules = [
        "d ${config.services.secrets.secretsDir} - root root"
      ];

      networking.firewall = {
        enable = true;
        allowedTCPPorts = [22 8080];
      };

      home-manager.users.root = {
        imports = with tree; [home.base home.dev.small];
        home.stateVersion = "23.05";
      };

      # Manually configure nameserver. Using resolved inside the container seems to fail
      # currently
      environment.etc."resolv.conf".text = "nameserver 8.8.8.8";
      system.stateVersion = "23.05";
    };
  };

  services.nginx.virtualHosts."gts-01.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://${containerIP}:8080";
      proxyWebsockets = true;
      extraConfig = ''
        # uncomment if running nginx without recommendedProxySettings
        # proxy_set_header Host $host;
        # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # proxy_set_header X-Forwarded-Proto $scheme;
      '';
    };
    extraConfig = ''
      client_max_body_size 128M;
    '';
  };
}