{ config, ... }:
{
  age.secrets.pds-env = {
    file = ../../secrets/pds-env.age;
    mode = "0400";
    owner = "pds";
  };

  services.bluesky-pds = {
    enable = true;
    environmentFiles = [ config.age.secrets.pds-env.path ];
    settings = {
      PDS_PORT = 5556;
      PDS_HOSTNAME = "pds.commonscomputer.com";
      # We can set a bunch of other things too
      # PDS_BSKY_APP_VIEW_URL
      # PDS_CRAWLERS
      # PDS_BLOB_UPLOAD_LIMIT
      # Full list available here: https://github.com/bluesky-social/atproto/blob/main/packages/pds/src/config/env.ts
    };
  };

  services.tangled-spindle = {
    enable = true;
    server = {
      hostname = "spindle.commonscomputer.com";
      owner = "did:plc:dy6ekftqerqu5bcz76kgy6ux";
    };
  };

  # stolen from https://tangled.org/@isuggest.selfce.st/tangled-knot-nix/blob/main/knot.nix
  services.tangled-knot = {
    enable = true;
    server = {
      hostname = "knot.commonscomputer.com"; # put in the hostname where your knot can be accessed at. e.g. knot.a.tgirl.gay
      owner = "did:plc:dy6ekftqerqu5bcz76kgy6ux"; # your did, must be did:plc:<whatever> or did:web:<whatever>.
    };
    # optional configuration options. the current value is the default provided to the knot server.
    # appviewEndpoint = "https://tangled.sh"; # appview endpoint.
    # gitUser = "git"; # user that hosts git repos and performs git operations.
    # openFirewall = true; # open port 22 in the firewall for ssh.
    # stateDir = "/home/${cfg.gitUser}"; # tangled knot data directory.
    # repo = {
    #   scanPath = cfg.stateDir; # path where repositories are scanned from;
    #   mainBranch = "main"; # default branch name for repositories;
    # };
    # motd = ""; # message of the day. the contents are shown as-is; eg. you will want to add a newline if setting a non-empty message since the knot won't do this for you.
    # motdFile = null; # "file containing message of the day. the contents are shown as-is; eg. you will want to add a newline if setting a non-empty message since the knot won't do this for you."
    # server = {
    #   listenAddr = "0.0.0.0:5555"; # address to listen on.
    #   internalListenAddr = "127.0.0.1:5444"; # internal address for inter-service communication.
    #   dbPath = "${cfg.stateDir}/knotserver.db"; # path to the database file.
    #   dev = false; # enable development mode (disables signature verification)
    # };
  };

  services.caddy = {
    enable = true;
    virtualHosts = {
      "knot.commonscomputer.org".extraConfig = ''
        reverse_proxy http://localhost:5555
      ''; 
      "pds.commonscomputer.org".extraConfig = ''
        reverse_proxy http://localhost:5556
      '';
      "spindle.commonscomputer.com".extraConfig = ''
        reverse_proxy http://localhost:6555
      '';
    };
  };
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
}