{
  flake,
  config,
  ...
}: let
  inherit (flake.config.people) user0;
  inherit (flake.config.people.user.${user0}) domain;
  inherit (flake.config.system.device) server wildcard;
  inherit (flake.config.service.instance.wiki) paths ports subdomain ssl sops name;
  localhost = wildcard.ip.address1;
  host = "${subdomain}.${domain.url1}";
in {
  services = {
    wiki-js = {
      enable = true;
      # environmentFile = config.sops.secrets."${name}-pass".path;
      settings = {
        port = ports.port0;
        bindIP = localhost;
        db = {
          db = name;
          type = "postgres";
          host = "/run/postgresql";
        };
      };
    };

    caddy = {
      virtualHosts = {
        "${host}" = {
          extraConfig = ''
            reverse_proxy ${localhost}:${toString ports.port0}

            tls ${ssl.cert} ${ssl.key}
          '';
        };
      };
    };

    postgresql = {
      ensureDatabases = [name];
      ensureUsers = [
        {
          name = name;
          ensureDBOwnership = true;
        }
      ];
    };
  };

  # sops = let
  #   sopsSecrets = ["pass"];
  #   sopsPath = secret: {
  #     path = "${sops.path0}/${name}-${secret}";
  #     owner = "root";
  #     mode = "600";
  #   };
  # in {
  #   secrets = builtins.listToAttrs (
  #     map
  #     (secret: {
  #       name = "${name}-${secret}";
  #       value = sopsPath secret;
  #     })
  #     sopsSecrets
  #   );
  # };

  fileSystems."/var/lib/${name}" = {
    device = paths.path0;
    fsType = "none";
    options = ["bind"];
    depends = [server.storage0.mount];
  };

  systemd.tmpfiles.rules = [
    "Z ${paths.path0} 755 ${name} ${name} -"
    "Z ${sops.path0} 755 ${name} ${name} -"
  ];

  networking = {
    firewall = {
      allowedTCPPorts = [
        ports.port0
      ];
    };
  };
}