{
  pkgs,
  flakes,
  secrets,
  ...
}:
{
  sops.secrets.reviewqueue = {
    sopsFile = "${secrets}/reviewqueue.env";
  };

  services.nginx = {
    virtualHosts."queue.donsz.nl" = {
      forceSSL = true;
      http2 = true;
      enableACME = true;

      locations."/" = {
        proxyPass = "http://localhost:3000";
        proxyWebsockets = true;
      };
    };
  };

  systemd.services.reviewqueue = {
    description = "Review Queue";

    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];

    restartIfChanged = true;

    serviceConfig = {
      ExecStart = "${flakes.reviewqueue.packages.${pkgs.system}.default}/bin/reviewqueue";
      Restart = "always";
      EnvironmentFile = "/run/secrets/reviewqueue";
      StateDirectory = "reviewqueue";
    };

    environment = {
      DB_PATH = "/var/lib/reviewqueue/db.sqlite";
      LD_LIBRARY_PATH =
        with pkgs;
        lib.makeLibraryPath [
          openssl
          sqlite
        ];
    };
  };
}