{ pkgs, config, lib, self, ... }:

{
  age.secrets.garage_rpc_token = {
    file = "${self}/secrets/chonk_garage_rpc_secret.age";
    owner = "garage";
    group = "garage";
  };

  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 3900 3901 ];

  users.groups.garage = {};
  users.users.garage = {
    group = "garage";
    isSystemUser = true;
  };

  # overwrite dynamicuser
  systemd.services.garage.serviceConfig = {
    User = "garage";
    Group = "garage";
    DynamicUser = false;
    StateDirectory = lib.mkForce null;
  };

  services.garage = {
    enable = true;
    package = pkgs.garage_0_8;
    settings = {
      replication_mode = "1";
      rpc_bind_addr = "[::]:3901";
      rpc_secret_file = config.age.secrets.garage_rpc_token.path;
      s3_api = {
        api_bind_addr = "[::]:3900";
        s3_region = "garage";
        root_domain = ".s3.gssws.de";
      };
    };
  };
}