{ pkgs, config, ...}:

{
  containers.hasenloch = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "192.168.100.5";
    localAddress = "192.168.100.7";

    config = { pkgs, config2, ...}: {
      services.engelsystem = {
        enable = true;
        domain = "himmel.hacc.earth";
        
        config = {
          url = "https://himmel.hacc.earth";
          trusted_proxies = [ "${config.containers.hasenloch.hostAddress}/31" ];
          rewrite_urls = true;
          
          app_name = "Hasenloch";
          
          footer_items = {
            FAQ = "TODO";
            Contact = "TODO";
          };
          
          signup_requires_arrival = true;
          enable_dect = false;
          
          theme = 10;
          
          database = {
            database = "engelsystem";
            host = "localhost";
            username = "engelsystem";
          };
          
          
          email = {
            driver = "smtp";
            encryption = "tls";
            from = {
              address = "noreply@infra4future.de";
              name = "divoc Hasenloch";
            };
            host = "mail.hacc.space";
            password = {
              _secret = "/var/keys/engelsystem/mail";
            };
            port = 587;
            username = "noreply@infra4future.de";
          };
        };
      };

      networking.firewall.allowedTCPPorts = [ 80 ];
      networking.firewall.enable = false;
      services.coredns = {
        enable = true;
        config = ''
          .:53 {
          forward . 1.1.1.1
          }
        '';
      };
    };
  };

  services.nginx.recommendedProxySettings = true;
  services.nginx.virtualHosts."himmel.hacc.earth" = {
    locations."/".proxyPass = "http://" + config.containers.hasenloch.localAddress;
    forceSSL = true;
    enableACME = true;
  };
  
  networking.nat.enable = true;
  networking.nat.internalInterfaces = ["ve-hasenloch"];
  networking.nat.externalInterface = "enp6s0";

}