{
  config,
  lib,
  self,
  ...
}:
let
  cfg = config.services.tangled.knot;
  dk = self.lib.data.services.tangled-knot;
  ds = self.lib.data.services.tangled-spindle;
in
{
  services = {
    tangled = {
      knot = {
        enable = true;
        gitUser = "git";
        stateDir = "/var/lib/tangled-knot";
        repo.scanPath = "${cfg.stateDir}/repos";
        server = {
          listenAddr = "0.0.0.0:${toString dk.port}";
          hostname = dk.extUrl;
          internalListenAddr = "127.0.0.1:${toString dk.intListenPort}";
          owner = "did:plc:5cqzysioqzttihsnbsaxrggu";
        };
      };
      spindle = {
        enable = true;
        server = {
          listenAddr = "0.0.0.0:${toString ds.port}";
          hostname = ds.extUrl;
          owner = "did:plc:5cqzysioqzttihsnbsaxrggu";
        };
        pipelines.workflowTimeout = "10m";
      };
    };
    openssh = {
      enable = lib.mkForce cfg.enable;
      ports = [ 2222 ];
      settings.AllowUsers = [ "git" ];
      settings.AllowGroups = [ "git" ];
    };
  };
}