{
  lib,
  config,
  pkgs,
  ...
}:
let
  inherit (lib) mkIf mkEnableOption mkOption;
  inherit (lib.types) port;

  cfg = config.modules.container.nginxproxymanager;
  mkPortOption =
    portNr: desc:
    mkOption {
      type = port;
      default = portNr;
      description = desc;
    };
in
{
  options.modules.container.nginxproxymanager = {
    enable = mkEnableOption "Nginx Proxy Manager container";

    ports = {
      http = mkPortOption 80 "Port for http access";
      https = mkPortOption 443 "Port for https access";
      web = mkPortOption 81 "Port for the webpage";
    };
  };

  config = mkIf cfg.enable {
    modules.container.enable = true;

    # Containers
    virtualisation.oci-containers.containers."nginxproxymanager" = {
      image = "jc21/nginx-proxy-manager:latest";
      volumes = [
        "nginx_letsencrypt:/etc/letsencrypt:rw"
        "nginx_nginx:/data:rw"
      ];
      ports = [
        "${toString cfg.ports.http}:80/tcp"
        "${toString cfg.ports.web}:81/tcp"
        "${toString cfg.ports.https}:443/tcp"
      ];
      log-driver = "journald";
      extraOptions = [
        "--network-alias=nginxproxymanager"
        "--network=nginx_default"
      ];
    };

    #: Systemd services {{{
    systemd = {
      services = {
        "podman-nginxproxymanager" = {
          serviceConfig = {
            Restart = lib.mkOverride 500 "always";
          };
          after = [
            "podman-network-nginx_default.service"
            "podman-volume-nginx_letsencrypt.service"
            "podman-volume-nginx_nginx.service"
          ];
          requires = [
            "podman-network-nginx_default.service"
            "podman-volume-nginx_letsencrypt.service"
            "podman-volume-nginx_nginx.service"
          ];
          partOf = [
            "podman-compose-nginx-root.target"
          ];
          wantedBy = [
            "podman-compose-nginx-root.target"
          ];
        };

        # Networks
        "podman-network-nginx_default" = {
          path = [ pkgs.podman ];
          serviceConfig = {
            Type = "oneshot";
            RemainAfterExit = true;
            ExecStop = "podman network rm -f nginx_default";
          };
          script = ''
            podman network inspect nginx_default || podman network create nginx_default --disable-dns
          '';
          partOf = [ "podman-compose-nginx-root.target" ];
          wantedBy = [ "podman-compose-nginx-root.target" ];
        };

        # Volumes
        "podman-volume-nginx_letsencrypt" = {
          path = [ pkgs.podman ];
          serviceConfig = {
            Type = "oneshot";
            RemainAfterExit = true;
          };
          script = ''
            podman volume inspect nginx_letsencrypt || podman volume create nginx_letsencrypt
          '';
          partOf = [ "podman-compose-nginx-root.target" ];
          wantedBy = [ "podman-compose-nginx-root.target" ];
        };
        "podman-volume-nginx_nginx" = {
          path = [ pkgs.podman ];
          serviceConfig = {
            Type = "oneshot";
            RemainAfterExit = true;
          };
          script = ''
            podman volume inspect nginx_nginx || podman volume create nginx_nginx
          '';
          partOf = [ "podman-compose-nginx-root.target" ];
          wantedBy = [ "podman-compose-nginx-root.target" ];
        };
      };
      targets."podman-compose-nginx-root" = {
        unitConfig = {
          Description = "Root target generated by compose2nix.";
        };
        wantedBy = [ "multi-user.target" ];
      };
    };
    #: }}}
  };

}