{flake, ...}: let
  inherit (flake.config.people) user0;
  inherit (flake.config.people.user.${user0}) domain;
  inherit (flake.config.system.device) server wildcard;
  inherit (flake.config.service.instance.owncast) paths ports subdomain ssl name;
  localhost = wildcard.ip.address0;
  host = "${subdomain}.${domain.url1}";
in {
  services = {
    owncast = {
      enable = true;
      listen = localhost;
      port = ports.port0;
      openFirewall = true;
    };
    caddy = {
      virtualHosts = {
        "${host}" = {
          extraConfig = ''
            reverse_proxy ${localhost}:${toString ports.port0}

            tls ${ssl.cert} ${ssl.key}
          '';
        };
      };
    };
  };
  # fileSystems."/var/lib/${name}" = {
  #   device = paths.path0;
  #   fsType = "none";
  #   options = ["bind"];
  #   depends = [server.storage0.mount];
  # };

  # systemd.tmpfiles.rules = [
  #   "Z ${paths.path0} 755 ${name} ${name} -"
  # ];

  networking = {
    firewall = {
      allowedTCPPorts = [
        ports.port0
        ports.port1
      ];
    };
  };
}