{
  config,
  lib,
  pkgs,
  ...
}: {
  services.invidious = {
    enable = true;
    package = pkgs.unstable.invidious;

    database.passwordFile = config.age.secrets."services/invidious/password-database".path;
    domain = "iv.winston.sh";
    port = 3030;
    nginx.enable = true;

    settings = {
      external_port = lib.mkForce 443;
      popular_enabled = false;
      statistics_enabled = false;
      use_pubsub_feeds = true;
      default_user_preferences = {
        region = "US";
      };
    };
    extraSettingsFile = config.age.secrets."services/invidious/config.json".path;
  };

  services.nginx.virtualHosts.${config.services.invidious.domain} = {
    forceSSL = true;
    enableACME = false;
    useACMEHost = "winston.sh";
  };

  age.secrets."services/invidious/config.json".mode = "777";
}