{
  self,
  config,
  pkgs,
  ...
}:
let
  # Custom radicle-explorer configured for local box node
  localExplorer = pkgs.radicle-explorer.withConfig {
    preferredSeeds = [
      {
        hostname = "rad.mossnet.lan";
        port = 80;
        scheme = "http";
      }
    ];
  };
in
{
  age.secrets.radicle-box-key.file = "${self}/secrets/radicle-box-key.age";
  age.secrets.radicle-box-key.owner = "radicle";

  services.radicle = {
    enable = true;
    privateKeyFile = config.age.secrets.radicle-box-key.path;
    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII2QC5AbaTHCRVzGluWgXUlyBNFDxcLiIeViv81f3TYw mossnet.lan";

    node = {
      listenAddress = "0.0.0.0"; # Listen on all interfaces for local LAN access
      listenPort = 8776;
      openFirewall = true;
    };

    settings = {
      node = {
        alias = "mossnet.lan";
        connect = [ "z6MkfPhJnbrHbB4FNcub7weT8CRcqFgfJinDfSYjPwK9tSXy@10.0.69.5:8776" ];
        seedingPolicy.default = "block";
      };
    };

    # HTTP API for local web access
    httpd = {
      enable = true;
      listenAddress = "127.0.0.1";
      listenPort = 8888;
    };
  };

  # Nginx to serve radicle-explorer + proxy API
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;

    virtualHosts."rad.mossnet.lan" = {
      root = localExplorer;

      locations."/" = {
        tryFiles = "$uri $uri/ /index.html";
        index = "index.html";
      };

      # Proxy API requests to radicle-httpd
      locations."/api" = {
        proxyPass = "http://127.0.0.1:8888";
      };

      # Proxy raw file access to radicle-httpd
      locations."/raw" = {
        proxyPass = "http://127.0.0.1:8888";
      };

      # Proxy git protocol requests (rad:xxx) to radicle-httpd
      locations."~ ^/rad:" = {
        proxyPass = "http://127.0.0.1:8888";
      };
    };
  };

  # Open firewall for nginx
  networking.firewall.allowedTCPPorts = [ 80 ];

  # rad CLI for interactive use
  environment.systemPackages = [ pkgs.radicle-node ];
}