{ pkgs, bin, ssh, ... }:
let
  fqdn = "bin.freun.dev";
  port = 3600;
  sshPort = bin.sshPort;
  authorizedKeys = pkgs.writeTextFile {
    name = "authorized_keys";
    text = ssh.publicKeys.yubikey;
  };
in
{
  nixpkgs.config.snips-sh.withTensorflow = true;

  systemd.services.snips = {
    enable = true;
    description = "Snips pastebin";
    environment = {
      SNIPS_HTTP_INTERNAL = "http://[::1]:${toString port}";
      SNIPS_HTTP_EXTERNAL = "https://${fqdn}";
      SNIPS_SSH_INTERNAL = "ssh://[::0]:${toString sshPort}";
      SNIPS_SSH_EXTERNAL = "ssh://${fqdn}:${toString sshPort}";
      SNIPS_HOST_KEY_PATH = "/var/lib/snips/keys/snips";
      SNIPS_DB_FILEPATH = "/var/lib/snips/snips.db";
      SNIPS_SSH_AUTHORIZEDKEYSPATH = authorizedKeys;
    };
    serviceConfig = {
      EnvironmentFile = "/var/secrets/snips.env";
      StateDirectory = "snips";
      ExecStart = "${pkgs.snips-sh}/bin/snips.sh";
      WorkingDirectory = "/var/lib/snips";
      ConfigurationDirectory = "snips";
      DynamicUser = true;
    };
    wantedBy = [ "multi-user.target" ];
    confinement = {
      enable = true;
      packages = [ authorizedKeys ];
    };
  };

  modules.webserver.vHosts.${fqdn}.locations."/".proxyPort = port;

  networking.firewall.allowedTCPPorts = [ sshPort ];
}