{
  lib,
  inputs,
  config,
  ...
}:
let
  volumePath = "/overseer/services";
  sopsFolder = builtins.toString inputs.nix-secrets + "/sops";
  serverPort = builtins.toString (lib.custom.autoport "serverActualbudget");
  apiPort = builtins.toString (lib.custom.autoport "apiActualbudget");
in
{
  nixpkgs.overlays = [ inputs.actualbudget-report.overlays.default ];

  imports = [
    inputs.actualbudget-report.nixosModules.default
  ];

  systemd.tmpfiles.rules = [
    "d ${volumePath}/actualbudget"
    "d ${volumePath}/actualbudget-api"
  ];

  sops = {
    secrets = {
      "actualbudget/pass" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
      "actualbudget/key" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
      "actualbudget/client-id" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
      "actualbudget/recipients" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
      "actualbudget/client-secret" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
      "actualbudget/sync-id" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
      "generic/smtp/server" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
      "generic/smtp/port" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
      "generic/smtp/user" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
      "generic/smtp/pass" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
    };

    templates = {
      #  ACTUAL_OPENID_DISCOVERY_URL=https://auth.wanderingcrow.net/.well-known/openid-configuration
      #  ACTUAL_OPENID_CLIENT_ID=${config.sops.placeholder."actualbudget/client-id"}
      #  ACTUAL_OPENID_CLIENT_SECRET=${config.sops.placeholder."actualbudget/client-secret"}
      #  ACTUAL_OPENID_SERVER_HOSTNAME=https://budget.wanderingcrow.net
      "actualbudget-env".content = ''
        ACTUAL_PORT=${serverPort}
      '';
      "actualbudget-api-env".content = ''
        ACTUAL_SERVER_URL=https://budget.wanderingcrow.net
        ACTUAL_SERVER_PASSWORD=${config.sops.placeholder."actualbudget/pass"}
        API_KEY=${config.sops.placeholder."actualbudget/key"}
      '';
      "actualbudget-report-env".content = ''
        BASE_URL=https://api.budget.wanderingcrow.net
        API_KEY=${config.sops.placeholder."actualbudget/key"}
        SYNC_ID=${config.sops.placeholder."actualbudget/sync-id"}
        SMTP_USERNAME=${config.sops.placeholder."generic/smtp/user"}
        SMTP_PASSWORD=${config.sops.placeholder."generic/smtp/pass"}
        SMTP_HOST=${config.sops.placeholder."generic/smtp/server"}
        SMTP_PORT=${config.sops.placeholder."generic/smtp/port"}
        SMTP_RECIPIENTS=${config.sops.placeholder."actualbudget/recipients"}
      '';
    };
  };

  services.caddy = {
    enable = true;
    virtualHosts = {
      "budget.wanderingcrow.net".extraConfig = ''
        reverse_proxy http://localhost:${serverPort}
      '';
      "api.budget.wanderingcrow.net".extraConfig = ''
        reverse_proxy http://localhost:${apiPort}
      '';
    };
  };
  virtualisation.quadlet = {
    containers = {
      actualbudget.containerConfig = {
        image = "actualbudget/actual-server:26.2.0";
        volumes = [ "${volumePath}/actualbudget:/data" ];
        environmentFiles = [ config.sops.templates."actualbudget-env".path ];
        networks = [
          "host"
        ];
      };
      actualbudget-api.containerConfig = {
        image = "jhonderson/actual-http-api:26.2.0";
        volumes = [ "${volumePath}/actualbudget-api:/data" ];
        environmentFiles = [ config.sops.templates."actualbudget-api-env".path ];
        publishPorts = [
          "${apiPort}:5006"
        ];
      };
    };
  };

  services.actualbudget-report = {
    enable = true;
    interval = "Sun,Wed 12:00:00";
    environmentFile = config.sops.templates."actualbudget-report-env".path;
  };
}