{
  config,
  lib,
  ...
}: let
  cfg = config.vhack.rocie;
  data = "/var/lib/rocie";
in {
  options.vhack.rocie = {
    enable = lib.mkEnableOption "Rocie integration into vhack.eu";

    domain = lib.mkOption {
      type = lib.types.str;
      description = "The domain where to deploy rocie";
    };

    loginSecret = lib.mkOption {
      type = lib.types.path;
      description = "The age encrypted secret file for rocie, passed to agenix";
    };
  };

  config = lib.mkIf cfg.enable {
    rocie = {
      enable = true;
      inherit (cfg) domain;

      dbPath = "${data}/database.db";

      secretKeyFile = config.age.secrets.rocie_secret.path;
    };

    vhack.persist.directories = [
      {
        directory = data;
        user = "rocie";
        group = "rocie";
        mode = "0700";
      }
    ];

    users = {
      groups.rocie = {
        gid = config.vhack.constants.ids.gids.rocie;
      };
      users.rocie = {
        group = "rocie";
        uid = config.vhack.constants.ids.uids.rocie;
      };
    };

    age.secrets.rocie_secret = {
      file = cfg.loginSecret;
      mode = "700";
      owner = "rocie";
      group = "rocie";
    };
  };
}