{config, ...}: let
  dir = "/srv/maloja";
  configDir = "${dir}/config";
  stateDir = "${dir}/state";
  logsDir = "${dir}/logs";
  cacheDir = "${dir}/cache";
in {
  sops.secrets."svc-maloja-env" = {};

  systemd.tmpfiles.rules = [
    "d ${configDir} 0750 root root - -"
    "d ${stateDir} 0750 root root - -"
    "d ${logsDir} 0750 root root - -"
    "d ${cacheDir} 0750 root root - -"
  ];

  virtualisation.oci-containers.containers.maloja = {
    image = "docker.io/krateng/maloja:latest";
    extraOptions = ["--rm"];
    environmentFiles = [config.sops.secrets."svc-maloja-env".path];
    volumes = [
      "${configDir}:/config/config"
      "${stateDir}:/config/state"
      "${logsDir}:/config/logs"
      "${cacheDir}:/config/cache"
    ];
    ports = ["42010:42010/tcp"];
  };
}