{
  config,
  pkgs,
  lib,
  ...
}: {
  sops.secrets."ente/minio/root_user" = {};
  sops.secrets."ente/minio/root_password" = {};

  sops.templates."minio-root-credentials".content = ''
    MINIO_ROOT_USER=${config.sops.placeholder."ente/minio/root_user"}
    MINIO_ROOT_PASSWORD=${config.sops.placeholder."ente/minio/root_password"}
  '';

  services.minio = {
    enable = true;
    rootCredentialsFile = config.sops.templates."minio-root-credentials".path;
  };

  systemd.services.minio = {
    environment.MINIO_SERVER_URL = "https://ente-minio-api.procopius.dk";
    postStart = ''
      # Wait until minio is up
      ${lib.getExe pkgs.curl} --retry 5 --retry-connrefused --fail --no-progress-meter -o /dev/null "http://localhost:9000/minio/health/live"

      # Make sure bucket exists
      mkdir -p ${lib.escapeShellArg config.services.minio.dataDir}/ente
    '';
  };

  networking.firewall.allowedTCPPorts = [
    9000
    9001
  ];
}