{config, ...}: {
  sops.secrets."mollysocket-vapid-key".mode = "0440";
  sops.secrets."mollysocket-vapid-key".owner = config.users.users.root.name;

  services.mollysocket = {
    enable = true;
    settings = {
      port = 4381;
      vapid_key_file = config.sops.secrets."mollysocket-vapid-key".path;
      allowed_endpoints = ["molly.gladtherescake.eu" "nextcloud.gladtherescake.eu"];
      allowed_uuids = ["*"];
      webserver = true;
    };
  };
  services.nginx = {
    virtualHosts = {
      "molly.gladtherescake.eu" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:4381";
        };
      };
    };
  };
}