{ pkgs, lib, ... }:
let

  hostAddress = "192.168.100.20";
  containerAddress = "192.168.100.21";

in {

  # backup mattermost
  backup.dirs = [ "/home/mattermost" ];

  containers.mattermost = {

    # mount host folders
    bindMounts = {
      home = {
        # make sure this folder exist on the host
        hostPath = toString "/home/mattermost/home";
        mountPoint = "/var/lib/mattermost";
        isReadOnly = false;
      };
      db = {
        # make sure this folder exist on the host
        hostPath = toString "/home/mattermost/db";
        mountPoint = "/var/lib/postgresql";
        isReadOnly = false;
      };
    };

    # container network setup
    # see also nating on host system.
    privateNetwork = true;
    hostAddress = hostAddress;
    localAddress = containerAddress;

    autoStart = true;

    config = { config, pkgs, lib, ... }: {

      imports = [ <modules> <krops-lib> ];

      services.nginx = {

        # Use recommended settings
        recommendedGzipSettings = lib.mkDefault true;
        recommendedOptimisation = lib.mkDefault true;
        recommendedProxySettings = lib.mkDefault true;
        recommendedTlsSettings = lib.mkDefault true;

        # for graylog logging
        commonHttpConfig = let
          access_log_sink = "${hostAddress}:12304";
          error_log_sink = "${hostAddress}:12305";
        in ''
          log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", '
            '"facility": "nginx", '
            '"src_addr": "$remote_addr", '
            '"body_bytes_sent": $body_bytes_sent, '
            '"request_time": $request_time, '
            '"response_status": $status, '
            '"request": "$request", '
            '"request_method": "$request_method", '
            '"host": "$host",'
            '"upstream_cache_status": "$upstream_cache_status",'
            '"upstream_addr": "$upstream_addr",'
            '"http_x_forwarded_for": "$http_x_forwarded_for",'
            '"http_referrer": "$http_referer", '
            '"http_user_agent": "$http_user_agent" }';

          access_log syslog:server=${access_log_sink} graylog2_json;
          error_log syslog:server=${error_log_sink};
        '';
      };

      networking.firewall.allowedTCPPorts = [ 8065 6667 ];
      networking.firewall.allowedUDPPorts = [ 8065 ];

      # setup matter most
      services.mattermost = {
        enable = true;
        siteUrl = "https://chat.ingolf-wagner.de";
        localDatabaseName = "chat";
        localDatabaseUser = "chatty";
        listenAddress = ":8065";

        matterircd = {
          enable = true;
          parameters = [
            "-mmserver chat.ingolf-wagner.de"
            "-restrict chat.ingolf-wagner.de"
            "-bind [::]:6667"
          ];
        };
      };

      # send log to host systems graylog (use tinc or wireguard if host is not graylog)
      services.SystemdJournal2Gelf.enable = true;
      services.SystemdJournal2Gelf.graylogServer = "${hostAddress}:11201";

      services.journald.extraConfig = "SystemMaxUse=1G";

    };
  };

  # give containers internet access
  networking.nat.enable = true;
  networking.nat.internalInterfaces = [ "ve-mattermost" ];
  networking.nat.externalInterface = "enp2s0f1";

  # don't let networkmanager manger container network
  networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];

  # open ports for logging
  networking.firewall.interfaces."ve-mattermost".allowedTCPPorts =
    [ 11201 12304 12305 ];
  networking.firewall.interfaces."ve-mattermost".allowedUDPPorts =
    [ 11201 12304 12305 ];

  # host nginx setup
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts = {
      "chat.workhorse.private" = {
        serverAliases = [ "chat.ingolf-wagner.de" ];
        locations."/" = {
          proxyWebsockets = true;
          proxyPass = "http://${containerAddress}:8065";
        };
      };
    };
  };

}