{
  config,
  lib,
  pkgs,
  ...
}:
let
  d = lib.py.data.services.pocket-id;
in
{
  services.pocket-id = {
    enable = true;
    environmentFile = config.age.secrets.pocket-id-secrets.path;
    settings = {
      PUBLIC_APP_URL = "https://auth.pyrox.dev";
      TRUST_PROXY = true;
      UPDATE_CHECK_DISABLED = true;
      BACKEND_PORT = 30101;
      PORT = d.port;
      INTERNAL_BACKEND_URL = "http://localhost:30101";

      # Frontend Config
      PUBLIC_UI_CONFIG_DISABLED = true;
      APP_NAME = "dishNet Auth";
      SESSION_DURATION = 120;
      EMAILS_VERIFIED = true;
      ALLOW_OWN_ACCOUNT_EDIT = true;
      DISABLE_ANIMATIONS = true;
      SMTP_HOST = "mail.pyrox.dev";
      SMTP_PORT = 465;
      SMTP_FROM = "auth@pyrox.dev";
      SMTP_USER = "auth@pyrox.dev";
      SMTP_TLS = "tls";
      SMTP_SKIP_CERT_VERIFY = false;
      LDAP_ENABLED = false;
    };
  };

  age.secrets.pocket-id-secrets = {
    file = ./secrets/pocket-id-secrets.age;
    owner = "pocket-id";
    group = "pocket-id";
  };
  services.anubis.instances = {
    pocket-id-fe = {
      settings = {
        BIND = ":${toString d.anubis}";
        POLICY_FNAME = "${pkgs.py.anubis-files}/policies/pocket-id.yaml";
        TARGET = "http://localhost:${toString d.port}";
      };
    };
    pocket-id-be = {
      settings = {
        BIND = ":${toString d.be-anubis}";
        POLICY_FNAME = "${pkgs.py.anubis-files}/policies/pocket-id.yaml";
        TARGET = "http://localhost:${toString d.be-port}";
      };
    };
  };
}