{
  config,
  pkgs,
  ...
}: {
  services.wakapi = {
    enable = true;
    package = pkgs.unstable.wakapi;

    domain = "wakapi.winston.sh";
    port = 15912;
    nginx.enable = true;
    passwordSaltFile = config.age.secrets."services/wakapi/password-salt.env".path;
    settings = {
      app.avatar_url_template = "https://www.gravatar.com/avatar/{email_hash}.png";
      mail.enabled = false;
      security = {
        allow_signup = false;
        disable_frontpage = true;
      };
    };
  };

  services.nginx.virtualHosts.${config.services.wakapi.domain} = {
    forceSSL = true;
    enableACME = false;
    useACMEHost = "winston.sh";
  };

  # for agenix owner permissions
  age.secrets."services/wakapi/password-salt.env".owner = "wakapi";
  users = {
    groups.wakapi = {};
    users.wakapi = {
      isSystemUser = true;
      group = "wakapi";
    };
  };
}