{
  config,
  self,
  ...
}:
let
  d = self.lib.data.services.pocket-id;
in
{
  services.pocket-id = {
    enable = true;
    environmentFile = config.age.secrets.pocket-id-secrets.path;
    settings = {
      APP_URL = "https://${d.extUrl}";
      TRUST_PROXY = true;
      UPDATE_CHECK_DISABLED = true;
      PORT = d.port;

      # Frontend Config
      UI_CONFIG_DISABLED = true;
      APP_NAME = "dishNet Auth";
      SESSION_DURATION = 120;
      EMAILS_VERIFIED = true;
      ALLOW_OWN_ACCOUNT_EDIT = true;
      DISABLE_ANIMATIONS = true;
      SMTP_HOST = "mail.pyrox.dev";
      SMTP_PORT = 465;
      SMTP_FROM = "auth@pyrox.dev";
      SMTP_USER = "auth@pyrox.dev";
      SMTP_TLS = "tls";
      SMTP_SKIP_CERT_VERIFY = false;
      LDAP_ENABLED = false;
    };
  };

  age.secrets.pocket-id-secrets = {
    file = ./secrets/pocket-id-secrets.age;
    owner = "pocket-id";
    group = "pocket-id";
  };
  services.anubis.instances = {
    pocket-id = {
      settings = {
        BIND = ":${toString d.anubis}";
        TARGET = "http://localhost:${toString d.port}";
      };
    };
  };
}