{config, ...}: let
  ports = import ../data/ports.nix;
  pipedConfig = config.services.piped;
in {
  services.piped = {
    enable = true;
    frontendDomain = "piped-fi.owo.monster";
    backendDomain = "backend.piped-fi.owo.monster";
    proxyDomain = "proxy.piped-fi.owo.monster";

    disableRegistrations = true;

    # TODO: change these creds to be read from file before opening DB to firewall
    postgresDBName = "piped";
    postgresDBUsername = "piped";
    postgresDBPassword = "piped";
    postgresDBHost = "127.0.0.1";
    postgresDBPort = 26257;
    databaseDialect = "org.hibernate.dialect.CockroachDialect";
    disablePostgresDB = true;

    nginxForceSSL = false;
    nginxEnableACME = false;

    # Do not set proxyNginxExtraConfig here as needs be set in outside of container

    internalBackendPort = ports.internal-piped-backend;
    internalProxyPort = ports.internal-piped-proxy;
  };

  systemd.tmpfiles.rules = [
    "d /var/sockets - nginx nginx"
  ];

  systemd.services.nginx = {
    serviceConfig.ReadWritePaths = [
      "/var/sockets"
    ];
  };

  systemd.services.piped-backend = {
    after = ["cockroachdb.service"];
    wants = ["cockroachdb.service"];
  };

  services.nginx.virtualHosts = let
    componentPath = component: "/var/sockets/piped-${component}.sock";
  in {
    "${pipedConfig.frontendDomain}" = {
      listen = [
        {
          addr = "127.0.0.1";
          port = 8091;
        }
      ];
      extraConfig = "listen unix:${componentPath "frontend"};";
    };
    "${pipedConfig.backendDomain}" = {
      extraConfig = "listen unix:${componentPath "backend"};";
      listen = [
        {
          addr = "127.0.0.1";
          port = 8092;
        }
      ];
    };
    "${pipedConfig.proxyDomain}" = {
      extraConfig = "listen unix:${componentPath "proxy"};";
      listen = [
        {
          addr = "127.0.0.1";
          port = 8093;
        }
      ];
    };
  };
}