{
  self,
  config,
  pkgs,
  ...
}: let
  hostAddress = "10.10.42.1";
  serviceAddress = "10.10.42.11";

  domain = "inv.gssws.de";
  hostStateDir = "/mnt/internal/invoiceplane";
  containerStateDir = "/var/lib/invoiceplane";
in {
  # nginx
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/" = {
        proxyPass = "http://${serviceAddress}:80";
      };
    };
  };

  # invoiceplane
  containers."invoiceplane" = {
    privateNetwork = true;
    hostAddress = "10.10.42.1";
    localAddress = serviceAddress;

    bindMounts."${containerStateDir}" = {
      hostPath = hostStateDir;
      isReadOnly = false;
    };

    config = {
      config,
      pkgs,
      ...
    }: {
      networking.firewall.allowedTCPPorts = [80];

      services.rsyslogd.enable = true;

      services.phpfpm.pools."invoiceplane-${domain}".phpOptions = ''
        date.timezone = Europe/Berlin
      '';
      services.caddy.virtualHosts."http://${domain}".listenAddresses = ["0.0.0.0"];

      services.invoiceplane.sites."${domain}" = {
        enable = true;
        stateDir = containerStateDir;

        database = {
          user = "invoiceplane";
          name = "invoiceplane";
        };
      };
    };
  };
}