{
  lib,
  config,
  proxyReverse,
  setup,
  ...
}:
let
  cfg = config.my.servers.kavita;
in
{
  options.my.servers.kavita = setup.mkOptions "kavita" "library" config.services.kavita.settings.Port;
  config = {
    networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
    sops.secrets.kavita-token = lib.mkIf cfg.enable {
      owner = config.users.users.kavita.name;
      inherit (config.users.users.kavita) group;
    };
    users.users.kavita = lib.mkIf cfg.enable {
      isSystemUser = true;
      group = "kavita";
      extraGroups = [ "piracy" ];
    };
    services = {
      kavita = lib.mkIf cfg.enable {
        enable = true;
        tokenKeyFile = config.sops.secrets.kavita-token.path;
      };
      nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy (
        proxyReverse cfg.hostName cfg.port // { }
      );
    };
  };
}