{ config, ... }:
{
  sops = {
    secrets."tailscale/authkey" = { };
    templates."docker.env".content = ''
      TAILSCALE_AUTHKEY=${config.sops.placeholder."tailscale/authkey"}
    '';
  };
  virtualisation = {
    containers.enable = true;
    podman.enable = true;
    oci-containers.containers = {
      jellyfin = {
        image = "lscr.io/linuxserver/jellyfin:latest";
        volumes = [
          "jellyfin-config:/config"
          "/video-data/media:/data/media"
          "jellyfin-tailscale:/var/lib/tailscale"
        ];
        environment = {
          DOCKER_MODS = "ghcr.io/tailscale-dev/docker-mod:main";
          TAILSCALE_STATE_DIR = "/var/lib/tailscale";
          TAILSCALE_HOSTNAME = "jellyfin";
          TAILSCALE_SERVE_PORT = "8096";
          TAILSCALE_SERVE_MODE = "http";
          TZ = "America/New_York";
          PUID = "920";
          PGID = "911";
          UMASK = "002";
        };
        environmentFiles = [ config.sops.templates."docker.env".path ];
        labels.swag = "enable";
        ports = [
          "1900:1900/udp"
          "7359:7359/udp"
        ];
        extraOptions = [
          "--pull=newer"
          "--network=www"
        ];
      };
    };
  };
}