{ config, pkgs, lib, ... }: let
  tandoor_user = "tandoor";
in {
  sops.secrets.tandoor-secret = {};
  sops.secrets.tandoor-pass = {};
  services.tandoor-recipes = {
    enable = true;
    port = 7666;
    extraConfig = {
      SECRET_KEY = config.sops.secrets.tandoor-secret.path;
      DB_ENGINE = "django.db.backends.postgresql";
      POSTGRES_HOST = "127.0.0.1";
      POSTGRES_PORT = config.services.postgresql.port;
      POSTGRES_USER = tandoor_user;
      POSTGRES_DB = tandoor_user;
      ENABLE_SIGNUP = "1";
    };
  };

  systemd.services.tandoor-recipes = {
    serviceConfig = {
      EnvironmentFile = config.sops.secrets.tandoor-pass.path;
    };
  };

  services.postgresql = {
    enable = true;
    port = 5432;
    ensureDatabases = [
      tandoor_user
    ];
    ensureUsers = [{
      name = tandoor_user;
      ensureDBOwnership = true;
      ensureClauses = {
        createdb = true;
      };
    }];
  };
  
  services.caddy.virtualHosts = {
    "tandoor.syzygial.cc" = {
      extraConfig = ''
        reverse_proxy 127.0.0.1:${toString config.services.tandoor-recipes.port}
      '';           
    };
  };
}