{
  pkgs,
  lib,
  config,
  ...
}: let
  domain = "ente.kylekrein.com";
in {
  sops.secrets."services/minio" = {owner = "minio";};
  services.minio = {
    enable = true;
    # ente's config must match this region!
    region = "us-east-1";
    listenAddress = ":21939";
    consoleAddress = ":21940";
    # Please use a file, agenix or sops-nix to securely store your root user password!
    # MINIO_ROOT_USER=your_root_user
    # MINIO_ROOT_PASSWORD=a_randomly_generated_long_password
    rootCredentialsFile = config.sops.secrets."services/minio".path;
  };

  systemd.services.minio.environment.MINIO_SERVER_URL = "https://s3.kylekrein.com";

  services.nginx = {
    virtualHosts."web.s3.kylekrein.com" = {
      forceSSL = true;
      enableACME = true;
      locations."/".proxyPass = "http://localhost:21940";
    };
    virtualHosts."s3.kylekrein.com" = {
      forceSSL = true;
      enableACME = true;
      locations."/".proxyPass = "http://localhost:21939";
      # determine max file upload size
      extraConfig = ''
        client_max_body_size 16G;
        proxy_buffering off;
        proxy_request_buffering off;
      '';
    };
  };
  sops.secrets."services/ente/minio/user" = {owner = "ente";};
  sops.secrets."services/ente/minio/password" = {owner = "ente";};
  sops.secrets."services/ente/encryption" = {owner = "ente";};
  sops.secrets."services/ente/hash" = {owner = "ente";};
  sops.secrets."services/ente/jwt" = {owner = "ente";};
  services.ente = {
    web = {
      enable = true;
      domains = {
        photos = "photos.${domain}";
        albums = "albums.${domain}";
        cast = "cast.${domain}";
        api = "api.${domain}";
        accounts = "accounts.${domain}";
      };
    };
    api = {
      enable = true;
      domain = "api.${domain}";
      enableLocalDB = true;
      nginx.enable = true;
      settings = {
        apps.accounts = "https://accounts.${domain}";
        apps.cast = "https://cast.${domain}";
        public-albums = "https://albums.${domain}";
        s3 = {
          b2-eu-cen = {
            are_local_buckets = false;
            use_path_style_urls = true;
            endpoint = "https://s3.kylekrein.com";
            region = "us-east-1";
            bucket = "ente";
            key._secret = config.sops.secrets."services/ente/minio/user".path;
            secret._secret = config.sops.secrets."services/ente/minio/password".path;
          };
        };
        key = {
          # generate with: openssl rand -base64 32
          encryption._secret = config.sops.secrets."services/ente/encryption".path;
          # generate with: openssl rand -base64 64
          hash._secret = config.sops.secrets."services/ente/hash".path;
        };
        # generate with: openssl rand -base64 32
        jwt.secret._secret = config.sops.secrets."services/ente/jwt".path;
        internal = {
          admin = 1580559962386438;
          disable-registration = true;
        };
      };
    };
  };
}