{ config, ... }:
{
  age.secrets.pds-env = {
    file = ../../secrets/pds-env.age;
    mode = "0400";
    owner = "pds";
  };

  services.bluesky-pds = {
    enable = true;
    environmentFiles = [ config.age.secrets.pds-env.path ];
    settings = {
      PDS_PORT = 5556;
      PDS_HOSTNAME = "pds.commonscomputer.com";
      # 100 MB blob upload limit (matches upstream default as of v0.4.219).
      # Set explicitly so the limit is visible in our config rather than
      # depending on whatever default the pinned nixpkgs module ships with.
      PDS_BLOB_UPLOAD_LIMIT = "104857600";
      # We can set a bunch of other things too
      # PDS_BSKY_APP_VIEW_URL
      # PDS_CRAWLERS
      # Full list available here: https://github.com/bluesky-social/atproto/blob/main/packages/pds/src/config/env.ts
    };
  };

  # Note: the option namespace is `services.tangled.<service>` (with a dot),
  # not `services.tangled-<service>` (with a dash). The dashed form was used
  # by an older third-party `tangled-knot-nix` flake; the official monorepo
  # at tangled.org/@tangled.org/core (which we import) uses the dotted form.
  # See nix/modules/{knot,spindle}.nix in the tangled core flake for the
  # full list of options.
  services.tangled.spindle = {
    enable = true;
    server = {
      hostname = "spindle.commonscomputer.com";
      owner = "did:plc:om5yygegi4yxcbay5gemn2wm";
    };
  };

  services.tangled.knot = {
    enable = true;
    server = {
      hostname = "knot.commonscomputer.com";
      owner = "did:plc:om5yygegi4yxcbay5gemn2wm";
    };
  };

  services.caddy = {
    enable = true;
    virtualHosts = {
      "knot.commonscomputer.com".extraConfig = ''
        reverse_proxy http://localhost:5555
      '';
      "pds.commonscomputer.com".extraConfig = ''
        reverse_proxy http://localhost:5556
      '';
      "spindle.commonscomputer.com".extraConfig = ''
        reverse_proxy http://localhost:6555
      '';
    };
  };
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
}