{
  pkgs,
  lib,
  config,
  ...
}:
let
  enabled = config.mod.whib-backend.enable;
in
{
  options = {
    mod.whib-backend = {
      enable = lib.mkEnableOption "enable WHIB backend";
    };
  };

  config = lib.mkIf enabled {
    environment.systemPackages = [ pkgs.gnupg ];

    services.whib-backend = {
      enable = true;
      domain = "whib-backend.local";

      backend = {
        signingKey = "super-secret-key";
      };

      postgres = {
        password = "postgrespassword";

        backup = {
          gpgPassphraseFile = ./whib-gpgPassfile;

          backblazeBucket = "whib-postgres-backups";
          backblazeKeyID = "003867c33cd1a9b0000000003";
          backblazeKey = "K003+GUNG0lwTOMS5EheKC9YzgxFzuU";
        };
      };

      grafana = {
        password = "granfanapassword";
      };
    };

    virtualisation.vmVariant = {
      virtualisation = {
        sharedDirectories = {
          my-shared = {
            source = "/home/alex/whib-backup";
            target = "/mnt/shared";
          };
        };

        forwardPorts = [
          {
            # Service API
            from = "host";
            host.port = 8080;
            guest.port = 8080;
          }
          {
            # Service Metrics
            from = "host";
            host.port = 8181;
            guest.port = 8181;
          }
          {
            # Postgres
            from = "host";
            host.port = 5432;
            guest.port = 5432;
          }
          {
            # Grafana
            from = "host";
            host.port = 3000;
            guest.port = 3000;
          }
          {
            # Prometheus
            from = "host";
            host.port = 9090;
            guest.port = 9090;
          }
        ];
      };
    };
  };
}