{
  config,
  lib,
  pkgs,
  self,
  ...
}: let
  pubsolarDomain = import ./pubsolar-domain.nix;

  getSecret = name:
    lib.attrsets.setAttrByPath [name] {
      file = "${self}/secrets/${name}.age";
      mode = "600";
      owner = "concourse";
    };

  keys = [
    "concourse-session-signing-key"
    "concourse-worker-key"
    "concourse-tsa-host-key"
  ];

  secrets =
    [
      "concourse-secrets"
      "concourse-db-secrets"
    ]
    ++ keys;
in {
  age.secrets = lib.lists.foldl (a: b: a // getSecret b) {} secrets;

  users.users.concourse = {
    description = "Concourse Service";
    home = "/var/lib/concourse";
    useDefaultShell = true;
    uid = 10001;
    group = "concourse";
    isSystemUser = true;
  };

  users.groups.concourse = {};

  systemd.tmpfiles.rules = [
    "d '/var/lib/concourse' 0750 concourse concourse - -"
  ];

  virtualisation.oci-containers = {
    containers."concourse-db" = {
      image = "postgres:14";
      autoStart = true;
      user = "994";
      volumes = [
        "/data/concourse/db:/var/lib/postgresql/data"
      ];
      extraOptions = [
        "--network=concourse-net"
      ];
      environmentFiles = [
        config.age.secrets.concourse-db-secrets.path
      ];
    };

    containers."concourse" = {
      image = "concourse/concourse:7.9.1";
      autoStart = true;
      user = "10001";
      ports = [
        "8080:8080"
      ];
      dependsOn = ["concourse-db"];
      extraOptions = [
        "--network=concourse-net"
      ];
      volumes = [
        "${config.age.secrets.concourse-session-signing-key.path}:/keys/session_signing_key"
        "${config.age.secrets.concourse-worker-key.path}:/keys/worker_key"
        "${config.age.secrets.concourse-tsa-host-key.path}:/keys/tsa_host_key"
      ];

      environment = {
        CONCOURSE_EXTERNAL_URL = "https://ci.${pubsolarDomain}";

        CONCOURSE_ADD_LOCAL_USER = "crew:changeme";
        CONCOURSE_MAIN_TEAM_LOCAL_USER = "crew";

        # instead of relying on the default "detect"
        CONCOURSE_WORKER_BAGGAGECLAIM_DRIVER = "overlay";
        CONCOURSE_X_FRAME_OPTIONS = "allow";
        CONCOURSE_CONTENT_SECURITY_POLICY = "*";
        CONCOURSE_CLUSTER_NAME = "pub.solar";
        CONCOURSE_WORKER_CONTAINERD_DNS_SERVER = "8.8.8.8";

        CONCOURSE_SESSION_SIGNING_KEY = "/keys/session_signing_key";
        CONCOURSE_TSA_HOST_KEY = "/keys/tsa_host_key";
        CONCOURSE_TSA_AUTHORIZED_KEYS = "/keys/worker_key";

        # For ARM-based machine, change the Concourse runtime to "houdini"
        CONCOURSE_WORKER_RUNTIME = "containerd";
      };
      environmentFiles = [
        config.age.secrets.concourse-secrets.path
      ];
    };
  };
}