{
  lib,
  config,
  pkgs,
  ...
}:
let
  cfg = config.services.readeck;
  secrets = config.age.secrets;
  fqdn = "${cfg.subdomain}.${config.networking.domain}";
in
{
  options.services.readeck = {
    subdomain = lib.mkOption {
      type = lib.types.str;
    };
  };

  config = lib.mkIf cfg.enable {
    services = {
      readeck = {
        package = pkgs.readeck;
        environmentFile = secrets.readeck.path;
        settings = {
          server.port = lib.mkDefault 8090;
          database.source = "postgres://readeck:@readeck?host=/var/run/postgresql";
        };
      };

      webserver = {
        enable = lib.mkDefault true;
        vHosts.${fqdn} = {
          proxyBuffering = false;
          locations."/" = {
            proxyPort = cfg.settings.server.port;
          };
        };
      };

      postgresql = {
        enable = lib.mkDefault true;
        ensureDatabases = [ "readeck" ];
        ensureUsers = [
          {
            name = "readeck";
            ensureDBOwnership = true;
          }
        ];
      };
    };
  };
}