{ lib, config, ... }:
let
  cfg = config.my.servers.stash;
  setup = import ./setup.nix { inherit lib config; };
in
{
  options.my.servers.stash = setup.mkOptions "stash" "xxx" 9999;
  config = {
    sops.secrets = lib.mkIf cfg.enable {
      "stash/password".sopsFile = ../../secrets/env.yaml;
      "stash/jwt".sopsFile = ../../secrets/env.yaml;
      "stash/session".sopsFile = ../../secrets/env.yaml;
    };
    services = {
      stash = lib.mkIf cfg.enable {
        enable = true;
        group = "piracy";
        openFirewall = !cfg.isLocal;
        mutableSettings = true;
        passwordFile = config.sops.secrets."stash/password".path;
        jwtSecretKeyFile = config.sops.secrets."stash/jwt".path;
        sessionStoreKeyFile = config.sops.secrets."stash/session".path;
        settings = {
          inherit (cfg) port;
          parallel_tasks = 8;
          nobrowser = true;
          plugins_path = /var/lib/stash/plugins;
          stash = [
            {
              Path = "/srv/pool/glue";
              ExcludeImage = false;
            }
          ];
        };
      };
      nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy (setup.proxyReverseFix cfg);
    };
  };
}