{flake, ...}: let
  inherit (flake.config.people) user0;
  inherit (flake.config.people.user.${user0}) domain;
  inherit (flake.config.system.device) server wildcard;
  inherit (flake.config.service.instance.ollama) paths ports subdomain name ssl;
  localhost = wildcard.ip.address0;
  host = "${subdomain}.${domain.url0}";
in {
  services = {
    ollama = {
      acceleration = false;
      enable = true;
      group = name;
      host = "http://${localhost}";
      port = ports.port1;
      user = name;
    };

    open-webui = {
      enable = true;
      host = localhost;
      port = ports.port0;
      environment = {
        ENABLE_OLLAMA_API = "True";
        ANONYMIZED_TELEMETRY = "False";
        DO_NOT_TRACK = "True";
        SCARF_NO_ANALYTICS = "True";
        OLLAMA_BASE_URL = "http://${localhost}:${toString ports.port1}";
        WEBUI_AUTH = "True";
      };
    };

    caddy = {
      virtualHosts = {
        ${host} = {
          extraConfig = ''
            reverse_proxy ${localhost}:${toString ports.port0}

            tls ${ssl.cert} ${ssl.key}
          '';
        };
      };
    };
  };

  fileSystems."/var/lib/${name}" = {
    device = paths.path0;
    fsType = "none";
    options = ["bind"];
    depends = [server.storage0.mount];
  };

  systemd.tmpfiles.rules = ["Z ${paths.path0} 0755 ${name} ${name} -"];

  networking = {
    firewall = {
      allowedTCPPorts = [
        ports.port0
        ports.port1
      ];
    };
  };
}