{config, ...}: let
  mollySocketUser = "mollysocket";
in {
  sops.secrets."mollysocket-vapid-key".mode = "0440";
  sops.secrets."mollysocket-vapid-key" = {
    owner = mollySocketUser;
    group = mollySocketUser;
  };

  services.mollysocket = {
    enable = true;
    settings = {
      port = 4381;
      vapid_key_file = config.sops.secrets."mollysocket-vapid-key".path;
      allowed_endpoints = ["molly.gladtherescake.eu" "nextcloud.gladtherescake.eu"];
      allowed_uuids = ["*"];
      webserver = true;
    };
  };
  systemd.services.mollysocket.serviceConfig = {
    User = mollySocketUser;
    Group = mollySocketUser;
  };
  services.nginx = {
    virtualHosts = {
      "molly.gladtherescake.eu" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:4381";
        };
      };
    };
  };
}