{pkgs, ...}: {
  project.name = "signal";

  networks.dmz = {
    name = "dmz";
    external = true;
  };

  services = {
    mollysocket.service = {
      image = "ghcr.io/mollyim/mollysocket:latest";
      container_name = "mollysocket";
      useHostStore = true;
      ports = [
        "8020:8020"
      ];
      command = "server";
      working_dir = "/data";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.mollysocket.rule" = "Host(`signal.ghoscht.com`)";
        "traefik.http.routers.mollysocket.entrypoints" = "websecure";
        "traefik.http.services.mollysocket.loadbalancer.server.port" = "8020";
        "traefik.http.routers.mollysocket.tls" = "true";
        "traefik.http.routers.mollysocket.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/home/ghoscht/.docker/signal/mollysocket_data:/data"
      ];
      environment = {
        MOLLY_DB = "/data/mollysocket.db";
        MOLLY_ALLOWED_ENDPOINTS = "['https://push.ghoscht.com','*]";
        MOLLY_ALLOWED_UUIDS = "['*']";
        MOLLY_HOST = "0.0.0.0";
        MOLLY_PORT = 8020;
        RUST_LOG = "info";
      };
      restart = "always";
      networks = [
        "dmz"
      ];
    };
  };
}