{ pkgs, config, lib, ... }:

let
  cfg = config.modules.services.<service_name>;
  ids = <gid_and_uid_number>;
in
{
  options.modules.services.<service_name> = {
    enable = lib.mkEnableOption "enables <service_name>";
#    extra options
#    mode = lib.mkOption {
#      type = lib.types.enum [ "server" "client" ];
#      default = "client";
#      description = "whether syncthing should run as a client (user) or server (system-wide).";
#    };

  };

  config = lib.mkIf cfg.enable {
    
    # declare <service_name> group
    users.groups.<service_name> = { gid = ids; };

    # declare <service_name> user
    users.users.<service_name> = {
      description = "<service_name> media server user";
      uid = ids;
      isSystemUser = true;
      home = "/var/lib/<service_name>";
      createHome = true;
      group = "<service_name>";
      extraGroups = [ "media" "video" "render" ];
    };

    # enable the <service_name> service
    services.<service_name> = {
      enable = true;
      openFirewall = true;        # Opens 8096/8920 automatically
      user = "<service_name>";          # Default: <service_name>
      group = "<service_name>";         # Default: <service_name>
      dataDir = "/var/lib/<service_name>"; # Config + metadata storage
    };

    # override umask to make permissions work out
    systemd.services.<service_name>.serviceConfig = { UMask = lib.mkForce "0007"; };

    # open firewall
    #networking.firewall.allowedTCPPorts = [ 8096 ];

    # reverse proxy entryo
    services.nginx.virtualHosts."media.blakedheld.xyz" = {
      enableACME = false;
      forceSSL = true;
      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8096";
      };
    };
  };
}