{
  flake,
  ...
}:
let
  inherit (flake.config.people)
    user0
    ;
  inherit (flake.config.machines.devices)
    server
    ;
  inherit (flake.config.services.instances)
    hledger
    web
    ;
  service = hledger;
  localhost = web.localhost.address0;
  host = "${service.subdomain}.${web.domains.url0}";
in
{
  hledger-web = {
    enable = true;
    host = localhost;
    baseUrl = host;
    stateDir = service.paths.path0;
    port = service.ports.port0;
    allow = "edit";
  };

  caddy = {
    virtualHosts = {
      "${host}" = {
        extraConfig = ''
          reverse_proxy ${localhost}:${toString service.ports.port0}

          tls ${service.ssl.cert} ${service.ssl.key}
        '';
      };
    };
  };

  fileSystems."/var/lib/${service.name}" = {
    device = service.paths.path0;
    fsType = "none";
    options = [
      "bind"
    ];
    depends = [
      server.storage0.mount
    ];
  };

  systemd.tmpfiles.rules = [
    "Z ${service.paths.path0} 0755 ${user0} ${user0} -"
  ];
}