{ config, ... }:
{
  services.atticd = {
    enable = true;
    credentialsFile = config.age.secrets."services/attic/atticd.env".path;
    settings = {
      listen = "127.0.0.1:8080";
      chunking = {
        nar-size-threshold = 64 * 1024; # 64 KiB
        min-size = 16 * 1024; # 16 KiB
        avg-size = 64 * 1024; # 64 KiB
        max-size = 256 * 1024; # 256 KiB
      };
      storage = {
        bucket = "attic";
        endpoint = "https://s3.winston.sh";
        region = "eu-central-1";
        type = "s3";
      };
    };
  };

  services.nginx.virtualHosts."attic.winston.sh" = {
    forceSSL = true;
    enableACME = false;
    useACMEHost = "winston.sh";

    locations."/" = {
      extraConfig =
        # nginx
        ''
          client_max_body_size 512M;
        '';
      proxyPass = "http://${config.services.atticd.settings.listen}";
    };
  };
}