{ pkgs, bin, ... }:
let
  fqdn = "bin.freun.dev";
  port = 3600;
  sshPort = bin.sshPort;
  authorizedKeys = pkgs.writeTextFile {
    name = "authorized_keys";
    text = ''
      ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLIUkESu5NnBi1M0+ZjYrkp6/rIFuwc3aguspf98jmOydNce6l65cnS3GRzc9oWx4lu11ahi87ZuE+pYV+gaHm4=
    '';
  };
in
{
  nixpkgs.config.snips-sh.withTensorflow = true;

  systemd.services.snips = {
    enable = true;
    description = "Snips pastebin";
    environment = {
      SNIPS_HTTP_INTERNAL = "http://127.0.0.1:${toString port}";
      SNIPS_HTTP_EXTERNAL = "https://${fqdn}";
      SNIPS_SSH_INTERNAL = "ssh://0.0.0.0:${toString sshPort}";
      SNIPS_SSH_EXTERNAL = "ssh://${fqdn}:${toString sshPort}";
      SNIPS_HOST_KEY_PATH = "/var/lib/snips/keys/snips";
      SNIPS_DB_FILEPATH = "/var/lib/snips/snips.db";
      SNIPS_SSH_AUTHORIZEDKEYSPATH = authorizedKeys;
    };
    serviceConfig = {
      EnvironmentFile = "/var/secrets/snips.env";
      StateDirectory = "snips";
      ExecStart = "${pkgs.snips-sh}/bin/snips.sh";
      WorkingDirectory = "/var/lib/snips";
      ConfigurationDirectory = "snips";
      DynamicUser = true;
    };
    wantedBy = [ "multi-user.target" ];
    confinement = {
      enable = true;
      packages = [ authorizedKeys ];
    };
  };

  services.caddy.virtualHosts = {
    "${fqdn}".extraConfig = ''
      reverse_proxy localhost:${toString port}
    '';
  };

  networking.firewall.allowedTCPPorts = [ sshPort ];
}