{
  inputs,
  config,
  ...
}: let
  volumePath = "/overseer/services";
in {
  systemd.tmpfiles.rules = [
    "d ${volumePath}/actualbudget"
    "d ${volumePath}/actualbudget-api"
  ];

  sops = {
    secrets = {
      "actualbudget/pass" = {};
      "actualbudget/key" = {};
    };
    templates."actualbudget-api-env".content = ''
      ACTUAL_SERVER_PASSWORD="${config.sops.placeholder."actualbudget/pass"}"
      API_KEY="${config.sops.placeholder."actualbudget/key"}"
    '';
  };

  services.caddy = {
    enable = true;
    virtualHosts = {
      "budget.wanderingcrow.net".extraConfig = ''
        reverse_proxy http://10.88.0.12
      '';
      "api.budget.wanderingcrow.net".extraConfig = ''
        @block not remote_ip ${inputs.nix-secrets.network.primary.publicIP} private_ranges
        abort @block
        reverse_proxy http://10.88.0.13:5007
      '';
    };
  };
  virtualisation.oci-containers = {
    backend = "podman";
    containers = {
      "actualbudget" = {
        image = "actualbudget/actual-server:25.10.0";
        volumes = ["${volumePath}/actualbudget:/data"];
        extraOptions = ["--ip=10.88.0.12"];
        environment = {
          ACTUAL_PORT = "80";
        };
      };
      "actualbudget-api" = {
        image = "jhonderson/actual-http-api:25.10.0";
        volumes = ["${volumePath}/actualbudget-api:/data"];
        extraOptions = ["--ip=10.88.0.13"];
        environment = {
          ACTUAL_SERVER_URL = "http://10.88.0.12";
        };
        environmentFiles = [config.sops.templates."actualbudget-api-env".path];
      };
    };
  };
}