{ flake, config, ... }:
let
  inherit (flake.config.people) user0;
  inherit (flake.config.people.users.${user0}) email;
  inherit (flake.config.services.instances) firefly-iii web;
  inherit (flake.config.machines.devices) ceres;
  service = firefly-iii;
  localhost = web.localhost.address1;
  host = service.domains.url0;
in
{
  services = {
    firefly-iii = {
      enable = true;
      virtualHost = host;
      enableNginx = true;
      settings = {
        APP_KEY_FILE = config.sops.secrets."${service.name}-key".path;
        SITE_OWNER = email.address0;
        DB_DATABASE = "firefly";
        DB_USERNAME = "firefly";
        DB_PASSWORD_FILE = config.sops.secrets."${service.name}-pass".path;
        TRUSTED_PROXIES = "**";
      };
    };

    nginx = {
      enable = true;
      # virtualHosts.${config.services.firefly-iii.virtualHost} = {
      #   listen = [
      #     {
      #       addr = "0.0.0.0";
      #       port = 8080;
      #     }
      #   ];
      # };
    };

    caddy = {
      virtualHosts = {
        "${host}" = {
          extraConfig = ''
            encode gzip

            reverse_proxy localhost:80 {
                header_up Host {host}
                header_up X-Real-IP {remote_host}
                header_up X-Forwarded-For {remote_host}
                header_up X-Forwarded-Proto https
                header_up X-Forwarded-Host {host}
                header_up X-Forwarded-Ssl on
                header_up Connection ""
                timeout 240s
                dial_timeout 240s
            }

            @session_cookie header Cookie *session*
            handle @session_cookie {
                header Cache-Control "no-cache, no-store, must-revalidate"
            }

            request_body {
                max_size 64MB
            }

            tls ${service.ssl.cert} ${service.ssl.key}
          '';
        };
      };
    };
  };

  sops =
    let
      sopsPath = secret: {
        path = "${service.sops.path0}/${service.name}-${secret}";
        owner = service.name;
        mode = "600";
      };
    in
    {
      secrets = builtins.listToAttrs (
        map
          (secret: {
            name = "${service.name}-${secret}";
            value = sopsPath secret;
          })
          [
            "key"
            "pass"
          ]
      );
    };

  # fileSystems."/var/lib/${service.name}" = {
  #   device = service.paths.path0;
  #   fsType = "none";
  #   options = [
  #     "bind"
  #   ];
  #   depends = [
  #     ceres.storage0.mount
  #   ];
  # };

  users.users.${service.name}.extraGroups = [
    "caddy"
  ];

  systemd.tmpfiles.rules = [
    # "Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
    "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
  ];

  networking = {
    firewall = {
      allowedTCPPorts = [
        8080
        service.ports.port0
      ];
    };
  };
}