{
  config,
  pkgs,
  ...
}: {
  users = {
    extraUsers.webserver = {
      uid = config.ids.uids.webserver;
      group = config.users.extraGroups.webserver.name;
      isSystemUser = true;
      description = "tlater.net web server user";
    };
    extraGroups.webserver = {gid = config.ids.gids.webserver;};
  };

  virtualisation.oci-containers.containers.webserver = {
    image = "tlaternet/webserver";

    imageFile = pkgs.dockerTools.buildImage {
      name = "tlaternet/webserver";
      tag = "latest";
      contents = pkgs.tlaternet-webserver.webserver;

      config = let
        uid = toString config.users.extraUsers.webserver.uid;
        gid = toString config.users.extraGroups.webserver.gid;
      in {
        Cmd = ["tlaternet-webserver"];
        Volumes = {"/srv/mail" = {};};
        Env = [
          "ROCKET_PORT=3002"
          "ROCKET_TEMPLATE_DIR=${pkgs.tlaternet-templates.templates}/browser/"
        ];
        ExposedPorts = {"3002" = {};};
        User = "${uid}:${gid}";
      };
    };

    ports = ["3002:3002"];
    volumes = ["tlaternet-mail:/srv/mail"];
    extraOptions = [
      "--hostname=tlater.net"
      # Rocket 0.4 doesn't support SIGTERM anyway, so SIGKILL is the cleanest exit possible.
      "--stop-signal=SIGKILL"
    ];
  };
}