{
  flake,
  config,
  pkgs,
  ...
}: let
  inherit (flake.config.people) user0;
  inherit (flake.config.people.user.${user0}) domain email;
  inherit (flake.config.system.device) server wildcard;
  inherit (flake.config.service.instance) caddy peertube;
  localhost = wildcard.ip.address0;
  host = "${peertube.subdomain}.${domain.url1}";
in {
  services = {
    peertube = {
      configureNginx = false;
      enable = true;
      enableWebHttps = true;
      group = peertube.name;
      listenWeb = caddy.ports.port1;
      listenHttp = peertube.ports.port0;
      localDomain = host;
      serviceEnvironmentFile = config.sops.secrets."${peertube.name}-root".path;
      user = peertube.name;
      plugins = {
        enable = true;
        plugins = with pkgs; [
          peertube-plugin-livechat
          peertube-plugin-matomo
          peertube-plugin-transcoding-custom-quality
          peertube-theme-dark
        ];
      };

      secrets = {
        secretsFile = config.sops.secrets."${peertube.name}-secret".path;
      };
      settings = {
        instance = {
          name = "The Nutrivore";
        };
        log = {
          level = "debug";
        };
        smtp = {
          transport = "smtp";
          disable_starttls = false;
          from_address = email.address4;
          hostname = "smtp.protonmail.ch";
          port = 587;
          username = email.address4;
          tls = false;
        };
      };
      database = {
        createLocally = true;
        passwordFile = config.sops.secrets."${peertube.name}-database".path;
      };
      redis = {
        enableUnixSocket = true;
        createLocally = true;
        passwordFile = config.sops.secrets."${peertube.name}-redis".path;
      };
      smtp = {
        createLocally = true;
        passwordFile = config.sops.secrets."${peertube.name}-smtp".path;
      };
    };

    caddy = {
      virtualHosts = {
        ${host} = {
          extraConfig = ''
            reverse_proxy ${localhost}:${toString peertube.ports.port0}

            tls ${peertube.ssl.cert} ${peertube.ssl.key}

          '';
        };
      };
    };
  };

  sops = let
    sopsSecrets = ["smtp" "database" "redis" "root" "secret"];
    sopsPath = secret: {
      path = "${peertube.sops.path0}/${peertube.name}-${secret}-pass";
      owner = peertube.name;
      mode = "600";
    };
  in {
    secrets = builtins.listToAttrs (
      map
      (secret: {
        name = "${peertube.name}-${secret}";
        value = sopsPath secret;
      })
      sopsSecrets
    );
  };

  fileSystems."/var/lib/${peertube.name}" = {
    device = peertube.paths.path0;
    fsType = "none";
    options = ["bind"];
    depends = [server.storage0.mount];
  };

  systemd.tmpfiles.rules = [
    "Z ${peertube.paths.path0} 755 ${peertube.name} ${peertube.name} -"
    "Z ${peertube.sops.path0} 755 ${peertube.name} ${peertube.name} -"
  ];

  users.users.${peertube.name}.extraGroups = ["nginx" "caddy"];

  networking = {
    firewall = {
      allowedTCPPorts = [
        peertube.ports.port0
        peertube.ports.port1
        peertube.ports.port2
        peertube.ports.port3
        peertube.ports.port4
      ];
    };
  };
}