{
  config,
  pkgs,
  ...
}:
{
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [
      80
      443
    ];
    allowedUDPPorts = [
      51820
    ];
  };

  services.namespaced-vpn = {
    enable = true;
    ips = [
      "10.64.244.95/32"
      "fc00:bbbb:bbbb:bb01::1:f45e/128"
    ];
    publicKey = "KkShcqgwbkX2A9n1hhST6qu+m3ldxdJ2Lx8Eiw6mdXw=";
    endpoint = "146.70.117.226:51820";
    privateKeyFile = config.sops.secrets.wireguardKey.path;
    dns = "10.64.0.1";
  };

  services.storagebox = {
    enable = true;
    hostname = "u491729.your-storagebox.de";
    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
    user = "u491729";
    sshKeyFile = config.sops.secrets.storageboxKey.path;
    passFile = config.sops.secrets.storageboxCryptKey.path;
  };

  services.slskd = {
    enable = true;
    domain = "slsk.escapeangle.com";
    environmentFile = config.sops.secrets.slskdEnvFile.path;
    settings = {
      shares.directories = [ "/data/slsk/share" ];
      directories = {
        downloads = "/data/slsk/downloads";
        incomplete = "/data/slsk/incomplete";
      };
    };
  };

  systemd.services.slskd.serviceConfig = {
    UMask = "0002";
    NetworkNamespacePath = "/run/netns/vpn";
  };

  users.groups.storage = {
    name = "storage";
    gid = 491729;
    members = [
      "slskd"
      "wrtagweb"
    ];
  };

  services.nginx.virtualHosts."sls.escapeangle.com" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://10.10.10.2:${toString config.services.slskd.settings.web.port}";
      proxyWebsockets = true;
    };
  };

  services.gonic = {
    enable = true;
    settings = {
      music-path = [ "/data/music" ];
      podcast-path = [ "/data/podcast" ];
      playlists-path = [ "/data/playlists" ];
    };
  };

  services.nginx.virtualHosts."music.escapeangle.com" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://localhost:4747";
      proxyWebsockets = true;
    };
  };

  environment.systemPackages = with pkgs; [
    unstable.wrtag
  ];

  services.wrtagweb = {
    enable = true;
    settings.web-api-key = "test";
  };

  sops = {
    defaultSopsFile = ./hosting-02.yaml;
    secrets = {
      wireguardKey = {
        owner = "root";
      };
      storageboxKey = {
        owner = "root";
      };
      storageboxCryptKey = {
        owner = "root";
      };
      slskdEnvFile = {
        owner = config.services.slskd.user;
      };
    };
  };

  security.acme.defaults.email = "landervandenbulcke@gmail.com";
  security.acme.acceptTerms = true;

  system.stateVersion = "25.05";
}