{config, ...}:
let
  anki = config.services.anki-sync-server;
  secrets = config.sops.secrets;
  domain = "tristans.cloud";
in {
  sops.secrets."anki/password" = {
    owner = "anki";
  };

  services.anki-sync-server = {
    enable = true;
    address = "0.0.0.0";
    users = [
      {
        username = "tristan";
        passwordFile = secrets."anki/password".path;
      }
    ];
  };
  services.nginx.virtualHosts."anki.${domain}" = {
    forceSSL = true;
    enableACME = true;
    locations."~".proxyPass  = "http://localhost:${toString anki.port}";
  };

  # TODO: this really ought to be part of the nixpkgs anki-sync-server module
  users.users.anki = { group = "anki"; isSystemUser = true; };
  users.groups.anki = {};
  systemd.services.anki-sync-server.serviceConfig.User = "anki";
}