{
  inputs,
  config,
  pkgs,
  ...
}:
let
  atticdPort = 3215;
in
{
  imports = [
    inputs.attic.nixosModules.atticd
  ];

  sops.secrets = {
    attic_server_token_rs256_secret_base64 = { };
  };

  systemd.services.atticd-env =
    let
      createEnvScript = pkgs.writeShellScript "atticd-env" ''
        set -euo pipefail
        umask 077
        value="$(<${config.sops.secrets.attic_server_token_rs256_secret_base64.path})"
        printf "ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=\"%s\"\n" "$value" > /etc/atticd.env
      '';
    in
    {
      description = "Create /etc/atticd.env if missing";
      before = [ "atticd.service" ];
      wantedBy = [ "atticd.service" ];
      unitConfig.ConditionPathExists = "!/etc/atticd.env";
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
        ExecStart = createEnvScript;
      };
    };

  services.atticd = {
    enable = true;
    environmentFile = "/etc/atticd.env";
    mode = "monolithic";

    settings = {
      api-endpoint = "https://attic.kjtsanaktsidis.id.au";
      allowed-hosts = [ "attic.kjtsanaktsidis.id.au" ];
      listen = "[::]:${builtins.toString atticdPort}";
      jwt = { };
      chunking = {
        nar-size-threshold = 64 * 1024; # 64 KiB
        min-size = 16 * 1024; # 16 KiB
        avg-size = 64 * 1024; # 64 KiB
        max-size = 256 * 1024; # 256 KiB
      };
      database = {
        url = "sqlite:///var/lib/atticd/server.db";
      };
      storage = {
        type = "local";
        path = "/var/lib/atticd/storage";
      };
    };
  };


  services.nginx = {
    virtualHosts."attic.kjtsanaktsidis.id.au" = {
      forceSSL = true;
      enableACME = true;
      locations = {
        "/" = {
          proxyPass = "http://localhost:${builtins.toString atticdPort}";
        };
      };
    };
  };
}