{ config, ... }:
{
  sops.secrets.pocketid = {
    owner = config.services.pocket-id.user;
    sopsFile = ../../../secrets/pocketid.env;
  };

  services.nginx.virtualHosts."auth.donsz.nl" = {
    forceSSL = true;
    enableACME = true;
    extraConfig = ''
      proxy_busy_buffers_size   512k;
      proxy_buffers   4 512k;
      proxy_buffer_size   256k;
    '';
    locations."/".proxyPass = "http://[::1]:${toString config.services.pocket-id.settings.PORT}";
  };

  services.pocket-id = {
    enable = true;
    user = "pocket-id";
    environmentFile = config.sops.secrets.pocketid.path;
    settings = {
      PORT = 1411;

      TRUST_PROXY = true;
      APP_URL = "https://auth.donsz.nl";
      ALLOW_USER_SIGNUPS = "withToken";

      UI_CONFIG_DISABLED = true;
      ALLOW_OWN_ACCOUNT_EDIT = true;
      DB_PROVIDER = "postgres";
      DB_CONNECTION_STRING = "postgres://pocketid:pocketid@localhost:5432/pocketid";
      KEYS_STORAGE = "database";

      METRICS_ENABLED = false;
      TRACING_ENABLED = false;
      ANALYTICS_DISABLED = true;

      SESSION_DURATION = 1440;

      SMTP_HOST = "smtp.fastmail.com";
      SMTP_PORT = "587";
      SMTP_FROM = "auth@donsz.nl";
      SMTP_USER = "pocketid-auth";
      SMTP_TLS = "starttls";

      EMAIL_LOGIN_NOTIFICATION_ENABLED = true;
      EMAIL_API_KEY_EXPIRATION_ENABLED = true;
      EMAIL_ONE_TIME_ACCESS_AS_ADMIN_ENABLED = true;

      ACCENT_COLOR = "#c66995";

      LOG_LEVEL = "debug";
    };
  };
}