{
  lib,
  config,
  namespace,
  ...
}:
let
  cfg = config.${namespace}.services.termix;
  net = lib.${namespace}.network;
  inherit (lib.${namespace}) mkSopsEnvFile mkContainerService;
in
{
  imports = [
    ./guacd.nix

    # Sops env-file for OIDC credentials
    {
      config = lib.mkIf cfg.enable (mkSopsEnvFile {
        name = "termix.env";
        restartUnit = "podman-termix.service";
        secrets = {
          "jallen-nas/termix/client-id" = { };
          "jallen-nas/termix/client-secret" = { };
        };
        content = ''
          OIDC_CLIENT_ID=${config.sops.placeholder."jallen-nas/termix/client-id"}
          OIDC_CLIENT_SECRET=${config.sops.placeholder."jallen-nas/termix/client-secret"}
        '';
      });
    }

    (mkContainerService {
      inherit config;
      name = "termix";
      image = "ghcr.io/lukegus/termix";
      internalPort = 8080;
      volumes = [ "${cfg.configDir}/termix:/app/data" ];
      environmentFiles = [ config.sops.templates."termix.env".path ];
      environment = {
        OIDC_ISSUER_URL = "https://authentik.mjallen.dev/application/o/termix/";
        OIDC_AUTHORIZATION_URL = "https://authentik.mjallen.dev/application/o/authorize/";
        OIDC_TOKEN_URL = "https://authentik.mjallen.dev/application/o/token/";
        OIDC_FORCE_HTTPS = "true";
        GUACD_HOST = net.hosts.nas.lan;
      };
    })
  ];
}