{
  lib,
  config,
  namespace,
  ...
}:
with lib;
let
  name = "termix";
  cfg = config.${namespace}.services.${name};

  termixConfig = lib.${namespace}.mkModule {
    inherit config name;
    serviceName = "podman-${name}";
    description = "termix";
    options = { };
    moduleConfig = {
      sops = {
        secrets = {
          "jallen-nas/termix/client-id" = {
            sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
          };
          "jallen-nas/termix/client-secret" = {
            sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
          };
        };
        templates = {
          "termix.env" = {
            mode = "660";
            owner = "nix-apps";
            group = "jallen-nas";
            restartUnits = [ "podman-termix.service" ];
            content = ''
            OIDC_CLIENT_ID=${config.sops.placeholder."jallen-nas/termix/client-id"}
            OIDC_CLIENT_SECRET=${config.sops.placeholder."jallen-nas/termix/client-secret"}
            '';
          };
        };
      };

      virtualisation.oci-containers.containers.${name} = {
        autoStart = true;
        image = "ghcr.io/lukegus/termix";
        volumes = [
          "${cfg.configDir}/termix:/app/data"
        ];
        ports = [
          "${toString cfg.port}:8080"
        ];
        environment = {
          OIDC_ISSUER_URL = "https://authentik.mjallen.dev/application/o/termix/";
          OIDC_AUTHORIZATION_URL = "https://authentik.mjallen.dev/application/o/authorize/";
          OIDC_TOKEN_URL = "https://authentik.mjallen.dev/application/o/token/";
          OIDC_FORCE_HTTPS = "true";
          GUACD_HOST = "10.0.1.3";
          PUID = cfg.puid;
          PGID = cfg.pgid;
          TZ = cfg.timeZone;
        };
      };
    };
  };
in
{
  imports = [
    ./guacd.nix
    termixConfig
  ];
}