{
  config,
  lib,
  pkgs,
  ...
}: {
  services.invidious = {
    enable = true;
    package = pkgs.unstable.invidious;

    database.passwordFile = config.age.secrets."services/invidious/password-database".path;
    domain = "iv.winston.sh";
    port = 3030;
    nginx.enable = true;

    settings = {
      external_port = lib.mkForce 443;

      db.user = "invidious";
      enable_user_notifications = false;
      popular_enabled = false;
      statistics_enabled = true;
      use_pubsub_feeds = true;

      default_user_preferences = {
        region = "US";
        feed_menu = ["Subscriptions" "Playlists"];
        default_home = lib.mkForce null;
      };
    };
    extraSettingsFile = config.age.secrets."services/invidious/config.json".path;
  };

  services.nginx.virtualHosts.${config.services.invidious.domain} = {
    forceSSL = true;
    enableACME = false;
    useACMEHost = "winston.sh";
  };

  # for agenix owner permissions
  users.users.invidious.isSystemUser = true;
  users.users.invidious.group = "invidious";
  users.groups.invidious = {};
  age.secrets."services/invidious/config.json".owner = "invidious";
}