{pkgs, ...}: {
  project.name = "signal";

  networks.dmz = {
    name = "dmz";
    external = true;
  };

  services = {
    mollysocket.service = {
      image = "ghcr.io/mollyim/mollysocket:1.3.0";
      container_name = "mollysocket";
      useHostStore = true;
      ports = [
        "8020:8020"
      ];
      command = "server";
      working_dir = "/data";
      labels = {
        "traefik.enable" = "true";

        "traefik.http.routers.mollysocket.rule" = "Host(`signal.ghoscht.com`)";
        "traefik.http.routers.mollysocket.service" = "mollysocket";
        "traefik.http.routers.mollysocket.entrypoints" = "websecure";
        "traefik.http.services.mollysocket.loadbalancer.server.port" = "8020";
        "traefik.http.routers.mollysocket.tls" = "true";
        "traefik.http.routers.mollysocket.tls.certresolver" = "letsencrypt";

        "traefik.http.services.mollysocket-external.loadbalancer.server.port" = "8020";
        "traefik.http.routers.mollysocket-external.service" = "mollysocket-external";
        "traefik.http.routers.mollysocket-external.rule" = "Host(`signal.ghoscht.com`)";
        "traefik.http.routers.mollysocket-external.entrypoints" = "websecure-external";
        "traefik.http.routers.mollysocket-external.tls" = "true";
        "traefik.http.routers.mollysocket-external.tls.certresolver" = "letsencrypt";
      };
      environment = {
        MOLLY_DB = "/data/mollysocket.db";
        MOLLY_ALLOWED_ENDPOINTS = "[\"https://push.ghoscht.com\",\"*\"]";
        MOLLY_ALLOWED_UUIDS = "[\"*\"]";
        MOLLY_HOST = "0.0.0.0";
        MOLLY_PORT = 8020;
        RUST_LOG = "info";
      };
      restart = "always";
      networks = [
        "dmz"
      ];
    };
  };
}