{
  inputs,
  config,
  ...
}:
let
  volumePath = "/overseer/services";
  sopsFolder = builtins.toString inputs.nix-secrets + "/sops";
in
{
  nixpkgs.overlays = [ inputs.actualbudget-report.overlays.default ];

  imports = [
    inputs.actualbudget-report.nixosModules.default
  ];

  systemd.tmpfiles.rules = [
    "d ${volumePath}/actualbudget"
    "d ${volumePath}/actualbudget-api"
  ];

  sops = {
    secrets = {
      "actualbudget/pass" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
      "actualbudget/key" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
      "actualbudget/client-id" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
      "actualbudget/recipients" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
      "actualbudget/client-secret" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
      "actualbudget/sync-id" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
      "generic/smtp/server" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
      "generic/smtp/port" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
      "generic/smtp/user" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
      "generic/smtp/pass" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
    };

    templates = {
      "actualbudget-env".content = ''
        ACTUAL_OPENID_DISCOVERY_URL=https://auth.wanderingcrow.net/.well-known/openid-configuration
        ACTUAL_OPENID_CLIENT_ID=${config.sops.placeholder."actualbudget/client-id"}
        ACTUAL_OPENID_CLIENT_SECRET=${config.sops.placeholder."actualbudget/client-secret"}
        ACTUAL_OPENID_SERVER_HOSTNAME=https://budget.wanderingcrow.net
      '';
      "actualbudget-api-env".content = ''
        ACTUAL_SERVER_URL=https://budget.wanderingcrow.net
        ACTUAL_SERVER_PASSWORD=${config.sops.placeholder."actualbudget/pass"}
        API_KEY=${config.sops.placeholder."actualbudget/key"}
      '';
      "actualbudget-report-env".content = ''
        BASE_URL=https://api.budget.wanderingcrow.net
        API_KEY=${config.sops.placeholder."actualbudget/key"}
        SYNC_ID=${config.sops.placeholder."actualbudget/sync-id"}
        SMTP_USERNAME=${config.sops.placeholder."generic/smtp/user"}
        SMTP_PASSWORD=${config.sops.placeholder."generic/smtp/pass"}
        SMTP_HOST=${config.sops.placeholder."generic/smtp/server"}
        SMTP_PORT=${config.sops.placeholder."generic/smtp/port"}
        SMTP_RECIPIENTS=${config.sops.placeholder."actualbudget/recipients"}
      '';
    };
  };

  services.caddy = {
    enable = true;
    virtualHosts = {
      "budget.wanderingcrow.net".extraConfig = ''
        reverse_proxy http://10.88.0.12
      '';
      "api.budget.wanderingcrow.net".extraConfig = ''
        reverse_proxy http://10.88.0.13:5007
      '';
    };
  };
  virtualisation.oci-containers = {
    backend = "podman";
    containers = {
      "actualbudget" = {
        image = "actualbudget/actual-server:25.10.0";
        volumes = [ "${volumePath}/actualbudget:/data" ];
        extraOptions = [ "--ip=10.88.0.12" ];
        environment = {
          ACTUAL_PORT = "80";
        };
        environmentFiles = [ config.sops.templates."actualbudget-env".path ];

      };
      "actualbudget-api" = {
        image = "jhonderson/actual-http-api:25.10.0";
        volumes = [ "${volumePath}/actualbudget-api:/data" ];
        extraOptions = [ "--ip=10.88.0.13" ];
        environmentFiles = [ config.sops.templates."actualbudget-api-env".path ];
      };
    };
  };

  services.actualbudget-report = {
    enable = true;
    interval = "Sun,Wed 12:00:00";
    environmentFile = config.sops.templates."actualbudget-report-env".path;
  };
}