{ pkgs, flakes, ... }:
{
  sops.secrets.reviewqueue = {
    sopsFile = ../../../secrets/reviewqueue.env;
  };

  services.nginx = {
    virtualHosts."queue.donsz.nl" = {
      forceSSL = true;
      http2 = true;
      enableACME = true;

      locations."/" = {
        proxyPass = "http://[::1]:3000";
      };
    };
  };

  systemd.services.reviewqueue = {
    description = "Review Queue";

    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ]; # if networking is needed

    restartIfChanged = true; # set to false, if restarting is problematic

    serviceConfig = {
      ExecStart = "${flakes.reviewqueue.packages.${pkgs.system}.default}/bin/reviewqueue";
      Restart = "always";
      EnvironmentFile = "/run/secrets/reviewqueue";
      StateDirectory = "reviewqueue";
    };

    environment = {
      DB_PATH = "/var/lib/reviewqueue/db.sqlite";
    };
  };
}