{
  lib,
  config,
  pkgs,
  ...
}:
let
  cfg = config.my.servers.stash;
  cfgS = config.services.stash;
  setup = import ../factories/mkserver.nix { inherit lib config; };
  stashPythonFHS = pkgs.buildFHSEnv {
    name = "stash-python-fhs";
    targetPkgs =
      pkgs:
      builtins.attrValues {
        inherit (pkgs)
          python3
          gcc
          glibc
          ;
        inherit (pkgs.python3Packages)
          pip
          virtualenv
          ;
        inherit (pkgs.stdenv.cc.cc) lib;
      };
    runScript = "bash";
  };
in
{
  options.my.servers.stash = setup.mkOptions "stash" "xxx" 9999;
  config = lib.mkIf (cfg.enable && config.my.secureHost) {
    sops.secrets = {
      "stash/password".sopsFile = ../../secrets/secrets.yaml;
      "stash/jwt".sopsFile = ../../secrets/secrets.yaml;
      "stash/session".sopsFile = ../../secrets/secrets.yaml;
    };
    services.stash = {
      inherit (cfg) enable;
      group = "piracy";
      mutableSettings = true;
      username = "Suing8150";
      passwordFile = config.sops.secrets."stash/password".path;
      jwtSecretKeyFile = config.sops.secrets."stash/jwt".path;
      sessionStoreKeyFile = config.sops.secrets."stash/session".path;
      settings = {
        inherit (cfg) port;
        host = "0.0.0.0";
        stash = [
          {
            path = "/srv/pool/glue/";
          }
        ];
      };
    };
    systemd.services.stash = {
      environment = {
        PYTHONPATH = "/var/lib/stash/venv/lib/python3.12/site-packages";
        LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib:${pkgs.glibc}/lib:${pkgs.zlib}/lib:${pkgs.libffi}/lib:${pkgs.openssl}/lib";
      };
      serviceConfig = {
        BindReadOnlyPaths = lib.mkForce [ ];
        BindPaths = lib.mkIf (cfgS.settings != { }) (map (stash: "${stash.path}") cfgS.settings.stash);
      };
    };
    users.users.stash = {
      isSystemUser = true;
      packages = [ stashPythonFHS ];
    };
  };
}