{
  config,
  pkgs,
  ...
}: {
  sops.secrets."ente/minio/root_password".owner = "ente";
  sops.secrets."ente/minio/root_user".owner = "ente";
  sops.secrets."service_accounts/ente/password".owner = "ente";

  environment.systemPackages = with pkgs; [
    ente-cli
  ];

  services.ente.api = {
    enable = true;
    enableLocalDB = true;

    domain = "ente-museum.procopius.dk";
    settings = {
      # apps = {
      #   accounts = "https://accounts.procopius.dk";
      #   cast = "https://cast.procopius.dk";
      #   public-albums = "https://albums.procopius.dk";
      # };

      smtp = {
        host = "mail.procopius.dk";
        port = "465";
        username = "ente@procopius.dk";
        password._secret = config.sops.secrets."service_accounts/ente/password".path;
        # The email address from which to send the email. Set this to an email
        # address whose credentials you're providing.
        email = "ente@procopius.dk";
        # Optional override for the sender name in the emails. If specified, it will
        # be used for all emails sent by the instance (default is email specific).
        sender-name = "ente";
      };
      internal.admins = [
        1580559962386438
      ];
      s3 = {
        use_path_style_urls = true;
        b2-eu-cen = {
          endpoint = "https://ente-minio-api.procopius.dk";
          region = "us-east-1";
          bucket = "ente";
          key._secret = config.sops.secrets."ente/minio/root_user".path;
          secret._secret = config.sops.secrets."ente/minio/root_password".path;
        };
      };
    };
  };
  services.ente.web = {
    enable = true;
    domains = {
      api = "ente-museum.procopius.dk";
      accounts = "ente-accounts.procopius.dk";
      albums = "ente-albums.procopius.dk";
      cast = "ente-cast.procopius.dk";
      photos = "ente-photos.procopius.dk";
      auth = "ente-auth.procopius.dk";
    };
  };

  networking.firewall.allowedTCPPorts = [
    3000
    3001
    3002
    3003
    3004
    8080
  ];
}