{ pkgs, lib, config, user, ... }:
let fhs = (pkgs.buildFHSEnv {
  name = "node-fhs-env";
  targetPkgs = pkgs: (with pkgs; [
       libgcc.lib
       glibc_multi.out
  ]);
  runScript = "${lib.getExe pkgs.nodejs_25}";
});
in {
    # systemd.packages = [
    #   (pkgs.writeTextFile {
    #    name = "foundryvtt@.service";
    #    destination = "/etc/systemd/system/foundryvtt@.service";
    #    text = ''
    #    [Unit]
    #    Description = "foundryvtt %i"
    #    After=network.target
    #
    #    [Service]
    #    Type=simple
    #    User=foundryvtt%i
    #    DynamicUser=yes
    #    StateDirectory=foundryvtt%i
    #    ExecStart=${lib.getExe pkgs.nodejs_25} /var/lib/foundryvtt%i/foundryvtt/main.js --dataPath=/var/lib/foundryvtt%i/foundrydata --port=3000%i
    #    Restart=on-failure
    #    RestartSec=30
    #
    #    [Install]
    #    WantedBy=default.target
    #    '';
    #    })
    # ];
    # security.acme.certs."${config.domainName}".extraDomainNames = [ "foundry.${config.domainName}" ];
    # services.nginx.virtualHosts."foundry.${config.domainName}" = {
    #   useACMEHost = config.domainName;
    #   addSSL = true;
    #   locations."/".proxyPass = "http://localhost:30000";
    # };
  security.acme.certs."${config.domainName}".extraDomainNames = [
    "mitchskeller.${config.domainName}"
    "inferno.${config.domainName}"
    "nixland.${config.domainName}"
  ];
  services.nginx.virtualHosts."mitchskeller.${config.domainName}" = {
    useACMEHost = config.domainName;
    addSSL = true;
    locations."/" = {
      # make sure websocket connection is forwarded
      extraConfig = ''
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;
      '';
      proxyPass = "http://localhost:30000";
    };
  };
  services.nginx.virtualHosts."inferno.${config.domainName}" = {
    useACMEHost = config.domainName;
    addSSL = true;
    locations."/" = {
      # make sure websocket connection is forwarded
      extraConfig = ''
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;
      '';
      proxyPass = "http://localhost:30001";
    };
  };
  services.nginx.virtualHosts."nixland.${config.domainName}" = {
    useACMEHost = config.domainName;
    addSSL = true;
    locations."/" = {
      # make sure websocket connection is forwarded
      extraConfig = ''
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;
      '';
      proxyPass = "http://localhost:30002";
    };
  };

  virtualisation.docker.enable = true;
  users.users.${user}.extraGroups = [ "docker" ];

  users.users.foundry = {
    shell = pkgs.zsh;
    isNormalUser = true;
    group = "${user}";
    openssh.authorizedKeys.keyFiles = [
      ./mitch.pub
    ] ++ config.users.users.${user}.openssh.authorizedKeys.keyFiles;
  };
}