{ ... }:
let
  actualPort = 3333;
  hostDataDir = "/media/nas/ssd/nix-app-data/jellyseerr";
  dataDir = "/var/lib/private/actual-data";
  stateDir = "/var/lib/private/actual";
  hostAddress = "10.0.1.18";
  localAddress = "10.0.3.18";
in
{
  containers.actual = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = hostAddress;
    localAddress = localAddress;

    bindMounts = {
      ${dataDir} = {
        hostPath = hostDataDir;
        isReadOnly = false;
      };
      ${stateDir} = {
        hostPath = stateDir;
        isReadOnly = false;
      };
    };

    config = { lib, ... }:
      {
        services.actual = {
          enable = true;
          openFirewall = true;
          settings = {
            trustedProxies = [ hostAddress ];
            port = actualPort;
            config = {
              dataDir = dataDir;
              openId = {
                issuer = "https://authentik.mjallen.dev/application/o/actual-budget/"; # TODO
                client_id = "1PGCrRdndq7SoOSLuNMnXFmHpgd1NKRMOa5LSia2";
                client_secret = "1PGCrRdndq7SoOSLuNMnXFmHpgd1NKRMOa5LSia2";
                server_hostname = "https://actual.mjallen.dev";
                authMethod = "openid";
              };
            };
          };
        };

        networking = {
          firewall = {
            enable = true;
            allowedTCPPorts = [ actualPort ];
          };
          # Use systemd-resolved inside the container
          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
          useHostResolvConf = lib.mkForce false;
        };

        services.resolved.enable = true;
        system.stateVersion = "23.11";
      };
  };

  networking.nat = {
    forwardPorts = [
      {
        destination = "${localAddress}:${toString actualPort}";
        sourcePort = actualPort;
      }
    ];
  };
}