{
  config,
  flake,
  pkgs,
  ...
}:
let
  inherit (flake.config.services.instances) opencloud web caddy;
  inherit (flake.config.machines.devices) eris;
  service = opencloud;
  localhost = web.localhost.address1;
  host = service.domains.url0;
in
{

  environment.systemPackages = with pkgs; [
    inotify-tools
  ];

  services = {
    opencloud = {
      enable = true;
      url = "https://${host}";
      port = service.ports.port0;
      address = localhost;
      stateDir = "/var/lib/${service.name}";
      environmentFile = config.sops.secrets."${service.name}/env".path;
    };

    caddy = {
      virtualHosts = {
        ":${host}" = {
          extraConfig = ''
            redir /.well-known/carddav /remote.php/dav/ 301
            redir /.well-known/caldav /remote.php/dav/ 301

            reverse_proxy ${localhost}:${toString service.ports.port0}

            tls ${service.ssl.cert} ${service.ssl.key}
          '';
        };
      };
    };
  };

  sops =
    let
      sopsPath = secret: {
        path = "${service.sops.path0}/${service.name}-${secret}";
        owner = service.name;
        mode = "600";
      };
    in
    {
      secrets = builtins.listToAttrs (
        map
          (secret: {
            name = "${service.name}/${secret}";
            value = sopsPath secret;
          })
          [
            "env"
          ]
      );
    };

  fileSystems."/var/lib/${service.name}" = {
    device = service.paths.path0;
    fsType = "none";
    options = [
      "bind"
    ];
    depends = [
      eris.storage0.mount
    ];
  };

  systemd.tmpfiles.rules = [
    "Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
    "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
  ];

  networking = {
    firewall = {
      allowedTCPPorts = [
        service.ports.port0
        caddy.ports.port4
      ];
    };
  };
}