{config, ...}: let
  httpIntPort = 14012;
  dom = "simul.lol";
in {
  sops.secrets."svc-sim-breeze-upload_key" = {
    owner = "sim-breeze";
    group = "sim-breeze";
  };

  services.nginx.virtualHosts.${dom} = {
    forceSSL = true;
    enableACME = true;

    quic = true;

    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString httpIntPort}";
    };

    extraConfig = let
      cloudflarePem = ../../../keys/cloudflare.pem;
    in ''
      ssl_client_certificate ${cloudflarePem};
      ssl_verify_client on;
    '';
  };

  systemd.tmpfiles.rules = [
    "d /srv/uploads-sim 0750 sim-breeze sim-breeze - -"
  ];

  services.sim-breeze = {
    enable = true;
    uploadKeyFile = config.sops.secrets."svc-sim-breeze-upload_key".path;

    settings = {
      engine = {
        base_url = "https://${dom}";
        max_upload_len = 2147483648;
        max_temp_lifetime = 43200;
        max_strip_len = 16777216;

        disk.save_path = "/srv/uploads-sim";
        cache = {
          max_length = 268435456;
          upload_lifetime = 1800;
          scan_freq = 60;
          mem_capacity = 4294967296;
        };
      };

      http.listen_on = "127.0.0.1:${toString httpIntPort}";
      logger.level = "info";
    };
  };
}