{
  pkgs,
  lib,
  ...
}:

{
  imports = [
    ./lxc-base.nix
  ];

  config = {
    my.vm = {
      name = "ergo01";
      ip4 = "192.168.0.8";
    };

    environment.systemPackages = with pkgs; [
      certbot
    ];

    networking.firewall.trustedInterfaces = [ "br-+" ];
    networking.firewall.allowedTCPPorts = [
      8067
      6697
      443
      80
    ];

    virtualisation.docker = {
      enable = true;
      daemon.settings = {
        fixed-cidr-v6 = "fd00::/80";
        ipv6 = true;
      };
    };

    security.acme = {
      acceptTerms = true;
      defaults.email = "admin+acme@dukeceph.xyz";
    };

    services.nginx = {
      enable = true;
      virtualHosts."irc.dukeceph.xyz" = {
        addSSL = true;
        enableACME = true;
        root = "/var/www/html";
        locations."/webirc".extraConfig = ''
          proxy_pass http://127.0.0.1:8067;
          proxy_read_timeout 600s;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "Upgrade";
          proxy_set_header X-Forwarded-For $remote_addr;
          proxy_set_header X-Forwarded-Proto $scheme;
        '';
      };
    };

    users.groups."ergo" = { };
    users.users."ergo" = {
      group = "ergo";
      isSystemUser = true;
    };

    services.ergochat = {
      enable = true;
      settings = {
        network = {
          name = "dukeceph.xyz";
        };
        server = {
          name = "dukeceph.xyz";
          enforce-utf8 = true;
          ip-cloaking = {
            enabled = true;
            netname = "dukeceph.xyz";
          };
          listeners = {
            ":6697" = {
              tls = {
                cert = "/etc/letsencrypt/live/irc.dukeceph.xyz/fullchain.pem";
                key = "/etc/letsencrypt/live/irc.dukeceph.xyz/privkey.pem";
              };
            };
            ":8067" = {
              websocket = true;
            };
          };
          secure-nets = [
            "127.0.0.0/24"
            "192.168.0.0/24"
          ];
        };
        oper-classes = {
          chat-moderator = {
            title = "Chat Moderator";
            capabilities = [
              "kill" # disconnect user sessions
              "ban" # ban IPs, CIDRs, NUH masks, and suspend accounts (UBAN / DLINE / KLINE)
              "nofakelag" # exempted from "fakelag" restrictions on rate of message sending
              "relaymsg" # use RELAYMSG in any channel (see the `relaymsg` config block)
              "vhosts" # add and remove vhosts from users
              "sajoin" # join arbitrary channels, including private channels
              "samode" # modify arbitrary channel and user modes
              "snomasks" # subscribe to arbitrary server notice masks
              "roleplay" # use the (deprecated) roleplay commands in any channel
            ];
          };
          server-admin = {
            title = "Server Admin";
            extends = "chat-moderator";
            capabilities = [
              "rehash" # rehash the server, i.e. reload the config at runtime
              "accreg" # modify arbitrary account registrations
              "chanreg" # modify arbitrary channel registrations
              "history" # modify or delete history messages
              "defcon" # use the DEFCON command (restrict server capabilities)
              "massmessage" # message all users on the server
              "metadata" # modify arbitrary metadata on channels and users
            ];
          };
        };
        opers = {
          duke = {
            class = "server-admin";
            whois-line = "is the server administrator";
            password = "$2a$04$eEXmtfM76.qp3D7kJna7k.dF7xeeACwvxwxUM4.ysW5Kndk/S.drG";
          };
        };
      };
    };
    systemd.services.ergochat.serviceConfig.DynamicUser = lib.mkForce false;
    systemd.services.ergochat.serviceConfig.User = "ergo";
    systemd.services.ergochat.serviceConfig.Group = "ergo";
    systemd.services.ergochat.restartIfChanged = false;
  };
}