{
  pkgs,
  config,
  lib,
  inputs,
  ...
}: let
  service = "copyparty";
  cfg = config.holocron.${service};
  sec = config.sops.secrets;
  homelab = config.homelab;
in {
  imports = [inputs.copyparty.nixosModules.default];

  options.holocron.${service} = {
    enable = lib.mkEnableOption "enables ${service}";

    # set port options
    port = lib.mkOption {
      type = lib.types.int;
      default = 7902;
      description = "set port for ${service} (default: ${toString cfg.port}";
    };
    url = lib.mkOption {
      type = lib.types.str;
      default = "${service}.${homelab.base_domain}";
      description = "set domain for ${service}";
    };
    data_dir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/${service}";
      description = "set data directory for ${service}";
    };
    ids = lib.mkOption {
      type = lib.types.int;
      default = cfg.port;
      description = "set uid and pid of ${service} user (matches port by default)";
    };
    backup = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = "enable backups for ${service}";
    };
  };

  config = lib.mkIf cfg.enable {
    nixpkgs.overlays = [inputs.copyparty.overlays.default];
    # declare ${service} group
    users.groups.${service} = {
      gid = lib.mkForce cfg.ids;
    };

    # declare ${service} user
    users.users.${service} = {
      description = lib.mkForce "${service} server user";
      uid = lib.mkForce cfg.ids;
      isSystemUser = true;
      home = cfg.data_dir;
      createHome = true;
      group = service;
      extraGroups = [ "media" "blake" "archives" ];
    };

    # enable the ${service} service
    services.${service} = {
      enable = true;
      user = service;
      group = service;
      settings = {
        i = "0.0.0.0";
        p = [7902];
        rproxy = 1;
      };
      accounts = {
        blake = {
          passwordFile = sec."copyparty_passwd".path;
        };
      };
      groups = {
        media = ["blake"];
      };
      volumes = {
        "/archives" = {
          path = "/holocron/archives";
          access = {
            r = "*";
            A = "blake";
          };
          flags = {
            chmod_f = 660;
            chmod_d = 770;
            #gid = ?;
          };
        };
        "/media" = {
          path = "/holocron/media";
          access = {
            r = "*";
            w = "@media";
            A = "blake";
          };
          flags = {
            chmod_f = 660;
            chmod_d = 770;
            gid = 700;
          };
        };
        "/users/blake" = {
          path = "/holocron/users/blake";
          access = {
            A = "blake";
          };
          flags = {
            chmod_f = 660;
            chmod_d = 770;
            gid = 1000;
          };
        };
      };
    };

    # open firewall
    networking.firewall.allowedTCPPorts = [cfg.port];

    # add to caddy for reverse proxy
    services.caddy.virtualHosts."${cfg.url}" = {
      serverAliases = ["${service}.${homelab.public_domain}"];
      extraConfig = ''
        tls /etc/ssl/blakedheld.xyz.crt /etc/ssl/blakedheld.xyz.key
        reverse_proxy 127.0.0.1:${toString cfg.port} {
        }
      '';
    };

    # add to glance (local service)
    homelab.glance.links.system = [
      {
        title = service;
        url = "https://${cfg.url}";
        error-url = "http://${homelab.host_ip}:${toString cfg.port}";
        check-url = "http://${homelab.host_ip}:${toString cfg.port}";
        icon = "di:${service}";
      }
    ];

    sops.secrets = {
      "${service}_passwd" = {
        owner = service;
        group = service;
      };
    };

    # add to backups
    homelab.backups.baks = {
      ${service} = {
        paths = [cfg.data_dir];
      };
    };
  };
}