{ config, lib, pkgs, ... }: {
  virtualisation.vmVariant = {
    networking.firewall.allowedTCPPorts = [ 80 ];
    services.pixelfed = {
      enable = true;
      domain = "pixelfed.localhost";
      secretFile = pkgs.writeText "secrets.env" ''
        APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
      '';
      settings = {
        OPEN_REGISTRATION = true;
        FORCE_HTTPS_URLS = false;
      };
      # TODO: I feel like this should have an `enable` option and be configured via `services.nginx` rather than mirroring those options here
      nginx = {};
    };
    virtualisation.forwardPorts = [
      {
        from = "host";
        host.port = 8000;
        guest.port = 80;
      }
    ];
  };
}