{
  config,
  lib,
  ...
}: let
  httpIntPort = 14060;
  dom = "simul.lol";
  user = "xray";
  group = "xray";
in {
  # depends upon sim-breeze.nix
  services.nginx.virtualHosts.${dom} = {
    locations."/streaming" = {
      proxyPass = "http://127.0.0.1:${toString httpIntPort}";
      proxyWebsockets = true;
    };
  };

  sops.secrets."svc-xray-settings" = {
    sopsFile = ../../../../secrets/silver/xray.json;
    format = "json";
    name = "svc-xray-settings.json"; # xray needs .json extension
    key = ""; # extract whole file. not nonexistent key `svc-xray-settings`

    owner = user;
    inherit group;
  };

  services.xray = {
    enable = true;
    settingsFile = config.sops.secrets."svc-xray-settings".path;
  };

  # assign user/group to xray

  users.users.${user} = {
    isSystemUser = true;
    inherit group;
  };

  users.groups.${group} = {};

  systemd.services.xray.serviceConfig = {
    User = user;
    Group = group;
    DynamicUser = lib.mkForce false;
  };
}