{
  lib,
  config,
  inputs,
  pkgs,
  ...
}:
let
  inherit (config.networking) domain;
  puffer_port = 8080;
  puffer_sftp_port = 5657;
  puffer_host = "puffer.${domain}";
  tlemap_host = "tlemap.${domain}";
  tlemap_port = 8100;
in
{
  services.pufferpanel = {
    enable = true;
    environment = {
      PUFFER_WEB_HOST = ":${builtins.toString puffer_port}";
      PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString puffer_sftp_port}";
    };
    extraPackages = with pkgs; [ ];
    extraGroups = [ "docker" ];
  };

  services.nginx = {
    enable = true;
    virtualHosts."${puffer_host}" = {
      serverName = puffer_host;
      forceSSL = true;
      useACMEHost = domain;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}";
      };
    };
    virtualHosts."${tlemap_host}" = {
      serverName = tlemap_host;
      forceSSL = true;
      useACMEHost = domain;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${builtins.toString tlemap_port}";
      };
    };
  };
  security.acme.certs."${domain}".extraDomainNames = [
    puffer_host
    tlemap_host
  ];
  networking.firewall.allowedTCPPorts = [
    puffer_sftp_port
    25565
    25566
    25567
    25568
    7270
  ];

  #  virtualisation.podman.enable = true;
  virtualisation.docker.enable = true;

  environment.systemPackages = with pkgs; [
    pufferpanel
    (writeShellScriptBin "pufferpanel-nix" "pufferpanel --workDir /var/lib/pufferpanel $@")
  ];
}