{
  config,
  lib,
  pkgs,
  self,
  ...
}: let
  pubsolarDomain = import ./pubsolar-domain.nix;
in {
  networking.networkmanager.unmanaged = ["interface-name:ve-caddy"];
  networking.nat = {
    enable = true;

    internalInterfaces = ["ve-caddy"];
    externalInterface = "enp0s31f6";

    # Lazy IPv6 connectivity for the container
    enableIPv6 = true;
  };
  containers.caddy = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "192.168.101.0";
    localAddress = "192.168.102.0";
    hostAddress6 = "fc00::1";
    localAddress6 = "fc00::2";

    forwardPorts = [
      {
        containerPort = 443;
        hostPort = 443;
        protocol = "tcp";
      }
      {
        containerPort = 80;
        hostPort = 80;
        protocol = "tcp";
      }
    ];

    bindMounts = {
      "/srv/www/" = {
        hostPath = "/data/www/";
        isReadOnly = false;
      };
    };

    config = {
      services.caddy = {
        enable = lib.mkForce true;
        group = "hakkonaut";
        email = "admins@pub.solar";
        globalConfig = lib.mkForce ''
          auto_https off
        '';
        acmeCA = null;
        virtualHosts = {
          "dashboard.nougat-2.b12f.io" = {
            extraConfig = ''
              reverse_proxy :2019
            '';
          };
          "www.b12f.io" = {
            extraConfig = ''
              redir https://pub.solar{uri}
            '';
          };
          "mail.b12f.io" = {
            extraConfig = ''
              redir / /realms/pub.solar/account temporary
              reverse_proxy :8080
            '';
          };

          "${pubsolarDomain}" = {
            logFormat = lib.mkForce ''
              output discard
            '';
            extraConfig = ''
              # PubSolarOS images
              handle /os/download/* {
                root * /srv/www
                file_server /os/download/* browse
              }
              # serve base domain pub.solar for mastodon.pub.solar
              # https://masto.host/mastodon-usernames-different-from-the-domain-used-for-installation/
              handle /.well-known/host-meta {
                redir https://mastodon.${pubsolarDomain}{uri}
              }
              # pub.solar website
              handle {
                root * /srv/www/pub.solar
                try_files {path}.html {path}
                file_server
              }
              # minimal error handling, respond with status code and text
              handle_errors {
                respond "{http.error.status_code} {http.error.status_text}"
              }
            '';
          };
          "www.${pubsolarDomain}" = {
            logFormat = lib.mkForce ''
              output discard
            '';
            extraConfig = ''
              redir https://${pubsolarDomain}{uri}
            '';
          };
          "auth.${pubsolarDomain}" = {
            logFormat = lib.mkForce ''
              output discard
            '';
            extraConfig = ''
              redir / /realms/${pubsolarDomain}/account temporary
              reverse_proxy 192.168.103.0:8080
            '';
          };
          "git.${pubsolarDomain}" = {
            logFormat = lib.mkForce ''
              output discard
            '';
            extraConfig = ''
              redir /user/login /user/oauth2/keycloak temporary
              reverse_proxy 192.168.101.0:3000
            '';
          };
          "ci.${pubsolarDomain}" = {
            logFormat = lib.mkForce ''
              output discard
            '';
            extraConfig = ''
              reverse_proxy 192.168.101.0:8080
            '';
          };
        };
      };
      networking.firewall.allowedTCPPorts = [80 443];
    };
  };
}