{pkgs, ...}: let
  umamiPort = 3000;
in {
  networking.firewall.allowedTCPPorts = [
    umamiPort
  ];

  services.postgresql = {
    package = pkgs.postgresql_16;
    enable = true;
    enableTCPIP = true;
    authentication = "host umami umami 127.0.0.1/32 trust";
    ensureDatabases = ["umami"];
    ensureUsers = [
      {
        name = "umami";
        ensureDBOwnership = true;
      }
    ];
  };

  virtualisation.oci-containers.containers."umami" = {
    image = "ghcr.io/umami-software/umami:postgresql-v2.13.2";
    extraOptions = [
      "--network=host"
    ];
    hostname = "umami";
    environment = {
      PORT = toString umamiPort;
      DATABASE_TYPE = "postgresql";
      DATABASE_URL = "postgresql://umami:umami@127.0.0.1:5432/umami";
      DISABLE_TELEMETRY = "1";
      PRIVATE_MODE = "1";
    };
  };
}