{config, ...}: {
  sops.secrets."mollysocket-vapid-key".mode = "0440";

  services.mollysocket = {
    enable = true;
    environmentFile = config.sops.secrets."mollysocket-vapid-key".path;
    settings = {
      port = 4381;
      allowed_endpoints = ["https://molly.gladtherescake.eu" "https://nextcloud.gladtherescake.eu"];
      allowed_uuids = ["db639f29-b7e7-431a-9c75-bcdcb87b6bdf"];
      webserver = true;
    };
  };
  services.nginx = {
    virtualHosts = {
      "molly.gladtherescake.eu" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:4381";
        };
      };
    };
  };
}