{
  pkgs,
  config,
  ...
}: let
  containerStateDir = "/data";
  hostStateDir = "/opt/tangd";
  servicePort = 8081;
in {
  networking.firewall.allowedTCPPorts = [servicePort];

  containers."tang" = {
    autoStart = true;
    ephemeral = true;
    bindMounts."${containerStateDir}" = {
      hostPath = hostStateDir;
      isReadOnly = false;
    };

    config = {
      config,
      pkgs,
      ...
    }: {
      networking.firewall.enable = false;

      users.groups."_tang" = {};

      users.users."_tang" = {
        group = "_tang";
        isSystemUser = true;
      };

      environment.systemPackages = with pkgs; [jose tang];

      systemd.services."tangd@" = {
        enable = true;
        serviceConfig = {
          ExecStartPre = "${pkgs.bash}/bin/bash -c \"mkdir -p ${containerStateDir}/tang-db\"";
          ExecStart = "${pkgs.tang}/libexec/tangd ${containerStateDir}/tang-db";
          User = "_tang";
          Group = "_tang";
        };
      };

      systemd.sockets."tangd" = {
        enable = true;
        listenStreams = ["${toString servicePort}"];
        wantedBy = ["sockets.target"];
        socketConfig = {
          Accept = true;
        };
      };

      system.stateVersion = "22.11";
    };
  };
}