{
  config,
  pkgs,
  ...
}:

let
  vars = import ./vars.nix;
  basePath = "${vars.primary_minio}/garage";
in
{
  services.garage = {
    enable = true;
    package = pkgs.garage;
    logLevel = "info";
    settings = {
      metadata_dir = "${basePath}/meta";
      data_dir = "${basePath}/data";
      db_engine = "sqlite";
      replication_factor = 1;

      rpc_bind_addr = "127.0.0.1:8504";
      rpc_public_addr = "127.0.0.1:8504";
      rpc_secret_file = config.sops.secrets."garage/rpc-secret".path;

      s3_api = {
        api_bind_addr = "127.0.0.1:8502";
        s3_region = "us-east-1";
        root_domain = ".s3.nayeonie.com";
      };

      admin = {
        api_bind_addr = "127.0.0.1:8503";
        admin_token_file = config.sops.secrets."garage/admin-token".path;
      };
    };
  };

  systemd.tmpfiles.rules = [
    "d ${basePath}/meta 0750 garage garage -"
    "d ${basePath}/data 0750 garage garage -"
  ];

  systemd.services.garage = {
    unitConfig.RequiresMountsFor = [
      vars.primary_minio
      basePath
      "${basePath}/meta"
      "${basePath}/data"
    ];
    preStart = ''
      mkdir -p ${basePath}/meta ${basePath}/data
      chown -R garage:garage ${basePath}/meta ${basePath}/data
    '';
    serviceConfig = {
      PermissionsStartOnly = true;
      DynamicUser = false;
      User = "garage";
      Group = "garage";
    };
  };

  users.groups.garage = { };
  users.users.garage = {
    isSystemUser = true;
    group = "garage";
  };

  sops.secrets = {
    "garage/rpc-secret" = { };
    "garage/admin-token" = { };
  };
}