{ flake, config, ... }:
let
  inherit (flake.config.instances) audiobookshelf web;
  service = audiobookshelf;
  host = "${service.subdomain}.${web.domains.url0}";
  localhost = web.localhost.address0;
in
{
  services = {
    audiobookshelf = {
      enable = true;
      host = host;
    };
    caddy = {
      virtualHosts = {
        "${host}" = {
          extraConfig = ''
            reverse_proxy ${localhost}:${toString service.ports.port0} {
              header_up X-Real-IP {remote_host}
            }

            tls ${service.ssl.cert} ${service.ssl.key}

            encode zstd gzip
          '';
        };
      };
    };
  };

  systemd.tmpfiles.rules = [
    "Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
    "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
  ];

  networking = {
    firewall = {
      allowedTCPPorts = [
        service.ports.port0
      ];
    };
  };
}