{
  repoFlake,
  hostAddress,
  localAddress,
  httpPort ? 80,
  httpsPort ? 443,
  autoStart ? false,
}: {
  config = {
    config,
    pkgs,
    lib,
    ...
  }: {
    system.stateVersion = "22.05"; # Did you read the comment?

    imports = [
      ../profiles/containers/configuration.nix

      repoFlake.inputs.sops-nix.nixosModules.sops
    ];

    networking.firewall.enable = false;

    services.ddclientovh = {
      enable = true;
      domain = "www.stefanjunker.de";
    };

    security.acme = {
      acceptTerms = true;
      certs."www.stefanjunker.de".email = "mail@stefanjunker.de";
      preliminarySelfsigned = true;

      # can be used for debugging
      # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
    };

    sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
    sops.secrets.hedgedoc_environment_file = {
      sopsFile = ./webserver_secrets.yaml;
      owner = config.users.users.hedgedoc.name;
    };

    services.nginx.enable = true;
    services.nginx.recommendedProxySettings = true;
    services.nginx.virtualHosts."www.stefanjunker.de" = {
      default = true;
      addSSL = true;
      listen = [
        {
          addr = "0.0.0.0";
          port = httpPort;
          ssl = false;
        }
        {
          addr = "0.0.0.0";
          port = httpsPort;
          ssl = true;
        }
      ];

      root = "/var/www/stefanjunker.de/htdocs";

      enableACME = true;

      locations."/hedgedoc/" = {proxyPass = "http://[::1]:3000/";};

      locations."/hedgedoc/socket.io/" = {
        proxyPass = "http://[::1]:3000/socket.io/";
        proxyWebsockets = true;
      };
    };

    services.hedgedoc = {
      enable = true;
      settings = {
        domain = "www.stefanjunker.de";
        urlPath = "hedgedoc";
        protocolUseSSL = true;
        db = {
          dialect = "sqlite";
          storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
        };

        allowAnonymous = false;
        allowAnonymousEdits = false;
        allowGravatar = false;
        allowFreeURL = false;
        defaultPermission = "private";
        allowEmailRegister = false;

        # these are set via the `environmentFile`
        dropbox = {
          appKey = "$DROPBOX_APPKEY";
          clientID = "$DROPBOX_CLIENTID";
          clientSecret = "$DROPBOX_CLIENTSECRET";
        };

        uploadsPath = "/var/lib/hedgedoc/uploads";
      };

      environmentFile = config.sops.secrets.hedgedoc_environment_file.path;
    };
  };

  inherit autoStart;

  bindMounts = {
    # FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host
    "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
    "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true;

    "/var/www" = {
      hostPath = "/var/lib/container-volumes/webserver/var-www";
      isReadOnly = false;
    };

    "/var/lib/mysql" = {
      hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql";
      isReadOnly = false;
    };

    "/var/lib/hedgedoc" = {
      hostPath = "/var/lib/container-volumes/webserver/var-lib-hedgedoc";
      isReadOnly = false;
    };
  };

  extraFlags = ["--resolv-conf=bind-host"];

  privateNetwork = true;
  forwardPorts = [
    {
      # http
      containerPort = 80;
      hostPort = httpPort;
      protocol = "tcp";
    }
    {
      # https
      containerPort = 443;
      hostPort = httpsPort;
      protocol = "tcp";
    }
  ];

  inherit hostAddress localAddress;
}