{ config, lib, pkgs, ... }:
{
  config = {
    services.hledger-web = {
      enable = true;
      allow = "view";
      stateDir = "/var/lib/hledger";
      journalFiles = lib.mkForce ["web.journal"];
      baseUrl = "https://hledger.yggdrasil.li";
      extraOptions = [
        "--socket=/run/hledger-web/http.sock"
      ];
    };
    users = {
      users.hledger.uid = 982;
      groups.hledger.gid = 979;
    };
    systemd.services.hledger-web = {
      serviceConfig = {
        UMask = "0002";
        ReadOnlyPaths = [ config.services.hledger-web.stateDir ];
        RuntimeDirectory = [ "hledger-web" ];
        PrivateDevices = true;
        StateDirectory = "hledger";
        CapabilityBoundingSet = "";
        AmbientCapabilities = "";
        ProtectSystem = "strict";
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectControlGroups = true;
        ProtectClock = true;
        ProtectHostname = true;
        ProtectHome = "tmpfs";
        ProtectKernelLogs = true;
        ProtectProc = "invisible";
        ProcSubset = "pid";
        PrivateNetwork = false;
        RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
        SystemCallArchitectures = "native";
        SystemCallFilter = [
          "@system-service @resources"
          "~@obsolete @privileged"
        ];
        RestrictSUIDSGID = true;
        RemoveIPC = true;
        NoNewPrivileges = true;
        RestrictRealtime = true;
        RestrictNamespaces = true;
        LockPersonality = true;
        PrivateUsers = true;
        TemporaryFileSystem = [ "/var/lib/hledger/.cache:mode=0750,uid=${toString (config.users.users.hledger.uid)},gid=${toString (config.users.groups.hledger.gid)}" ];
      };
    };
    services.nginx = {
      upstreams.hledger = {
        servers = { "unix:/run/hledger-web/http.sock" = {}; };
      };
      virtualHosts."hledger.yggdrasil.li" = {
        listen = [
          { addr = "[2a03:4000:52:ada:4:1::]"; port = 5000; }
        ];
        extraConfig = ''
          set_real_ip_from 2a03:4000:52:ada:4::;
          auth_basic "hledger";
          auth_basic_user_file "/run/credentials/nginx.service/hledger_users";
        '';
        locations."/" = {
          proxyPass = "http://hledger/";
          proxyWebsockets = true;
        };
      };
    };
    systemd.services.nginx.serviceConfig = {
      SupplementaryGroups = [ "hledger" ];
      LoadCredential = [ "hledger_users:${config.sops.secrets."hledger_users".path}" ];
    };
    sops.secrets."hledger_users" = {
      format = "binary";
      sopsFile = ./htpasswd;
      reloadUnits = [ "nginx.service" ];
    };
  };
}