{
  config,
  pkgs,
  self',
  self,
  ...
}:
let
  d = self.lib.data.services.pingvin-share;
  cfg = config.services.pingvin-share;
  configFormat = pkgs.formats.yaml { };
  configFile = configFormat.generate "config.yaml" {
    general = {
      appName = "dishNet Share";
      appUrl = "https://share.pyrox.dev";
      secureCookies = "true";
      showHomePage = "false";
    };
    share = {
      allowRegistration = "false";
      allowUnauthenticatedShares = "false";
      maxSize = "10000000000";
    };
    email.enableShareEmailRecipients = "true";
    smtp = {
      enabled = "true";
      host = "mail.pyrox.dev";
      port = "465";
      email = "share@pyrox.dev";
      username = "share@pyrox.dev";
      password = "SMTP_PASSWORD";
    };
    ldap.enabled = "false";
    legal.enabled = "false";
    s3.enabled = "false";
    oauth = {
      ignoreTotp = "true";
      oidc-enabled = "true";
      oidc-clientSecret = "CLIENT_SECRET";
      oidc-clientId = "d83006a6-9b08-47eb-af56-418065db09b5";
      oidc-discoveryUri = "https://auth.pyrox.dev/.well-known/openid-configuration";
      oidc-signOut = "false";
      oidc-scope = "openid email profile groups";
      oidc-rolePath = "groups";
      oidc-roleAdminAccess = "admins";
    };
    initUser.enabled = false;
  };
in
{
  virtualisation.oci-containers.containers = {
    pingvin-share-server = {
      image = "ghcr.io/stonith404/pingvin-share:latest";
      ports = [
        "${toString d.port}:3000"
        "${toString d.be-port}:8080"
      ];
      volumes = [
        "/var/lib/pingvin-share/data:/opt/app/backend/data"
        "/var/lib/pingvin-share/data/images:/opt/app/frontend/public/img"
        "/var/lib/pingvin-share/config.yaml:/opt/app/config.yaml"
      ];
      environment = {
        API_URL = "https://share.pyrox.dev";
        PUID = "962";
        PGID = "959";
      };
    };
  };
  users.users.pingvin = {
    uid = 962;
    group = cfg.group;
    isSystemUser = true;
  };
  users.groups.pingvin = {
    gid = 959;
  };

  services = {
    pingvin-share = {
      enable = false;
      backend.port = d.be-port;
      frontend.port = d.port;
      hostname = "share.pyrox.dev";
      https = true;
    };
    anubis.instances = {
      pingvin-share-be = {
        settings = {
          BIND = ":${toString d.be-anubis}";
          POLICY_FNAME = "${self'.packages.anubis-files}/policies/pingvin-share.yaml";
          TARGET = "http://localhost:${toString d.be-port}";
        };
      };
      pingvin-share-fe = {
        settings = {
          BIND = ":${toString d.anubis}";
          POLICY_FNAME = "${self'.packages.anubis-files}/policies/pingvin-share.yaml";
          TARGET = "http://localhost:${toString d.port}";
        };
      };
    };
  };
  systemd.services.init-pingvin-config = {
    enable = true;
    description = "Pingvin Share configuration setup";
    wantedBy = [ "multi-user.target" ];
    before = [
      "docker-pingvin-share-server.service"
    ];
    path = [ pkgs.gnused ];
    script = ''
      rm ${cfg.dataDir}/config.yaml
      cp ${configFile} ${cfg.dataDir}/config.yaml
      sed -i "s/SMTP_PASSWORD/\"$SMTP_PASSWORD\"/" ${cfg.dataDir}/config.yaml
      sed -i "s/CLIENT_SECRET/\"$CLIENT_SECRET\"/" ${cfg.dataDir}/config.yaml
    '';
    serviceConfig = {
      EnvironmentFile = config.age.secrets.pingvin-secrets.path;
      User = cfg.user;
      Group = cfg.group;
      ReadWritePaths = [ "${cfg.dataDir}" ];
    };
  };
  age.secrets.pingvin-secrets = {
    file = ./secrets/pingvin-secrets.age;
    owner = cfg.user;
    group = cfg.group;
  };
}