{
  pkgs,
  lib,
  config,
  ...
}:
let
  enabled = config.mod.whib-backend.enable;
in
{
  options = {
    mod.whib-backend = {
      enable = lib.mkEnableOption "enable WHIB backend";
    };
  };

  config = lib.mkIf enabled {
    services.whib-backend = {
      enable = true;

      domain = "whib-api.ppp.pm";
      useACMEHost = "whib-api.ppp.pm";

      backend = {
        signingKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-signing-key.path})";
      };

      postgres = {
        database = "whib";
        host = "postgres";
        port = "5432";
        user = "whib";
        password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-postgres-password.path})";

        backup = {
          interval = "*-*-* 00:00:00 UTC";

          gpgPassphraseFile = config.age.secrets.whib-gpg-key.path;

          backblazeBucket = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-bucket.path})";
          backblazeKeyID = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key-id.path})";
          backblazeKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key.path})";
        };
      };

      grafana = {
        password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-grafana-password.path})";
      };
    };

    age.secrets = {
      "whib-signing-key".file = ../../../../secrets/tadpole/whib-signing-key.age;
      "whib-postgres-password".file = ../../../../secrets/tadpole/whib-postgres-password.age;
      "whib-gpg-key".file = ../../../../secrets/tadpole/whib-gpg-key.age;
      "whib-backblaze-bucket".file = ../../../../secrets/tadpole/whib-backblaze-bucket.age;
      "whib-backblaze-key-id".file = ../../../../secrets/tadpole/whib-backblaze-key-id.age;
      "whib-backblaze-key".file = ../../../../secrets/tadpole/whib-backblaze-key.age;
      "whib-grafana-password".file = ../../../../secrets/tadpole/whib-grafana-password.age;
    };
  };
}