{
  flake,
  config,
  pkgs,
  lib,
  ...
}:
let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
  backupDir = "/var/lib/invoiceplane/backup";
in
{
  security.acme.certs = {
    "billing.faenix.eu" = { };
  };

  services.nginx.virtualHosts = {
    "billing.faenix.eu" = {
      forceSSL = true;
      useACMEHost = "billing.faenix.eu";
    };
  };

  services.invoiceplane = {
    webserver = "nginx";
    sites."billing.faenix.eu" = {
      enable = true;

      invoiceTemplates = [
        flake.self.inputs.invoiceplane-template.packages.${pkgs.system}.invoiceplane-template
      ];

      settings = {
        IP_URL = "https://billing.faenix.eu";
        DISABLE_SETUP = true;
        SETUP_COMPLETED = true;
        # Useful for debugging, logs to
        # /var/lib/invoiceplane/<domain>/logs/
        #ENABLE_DEBUG=true;
      };

      poolConfig = {
        "pm" = "dynamic";
        "pm.max_children" = 32;
        "pm.max_requests" = 500;
        "pm.max_spare_servers" = 4;
        "pm.min_spare_servers" = 2;
        "pm.start_servers" = 2;
        "php_admin_value[date.timezone]" = "Europe/Berlin";
        "php_admin_value[error_log]" = "/var/lib/invoiceplane/billing.faenix.eu/logs/php-error.log";
        "php_admin_flag[display_errors]" = "off";
        "php_admin_flag[log_errors]" = "on";
        "catch_workers_output" = "yes";
      };
    };
  };

  systemd.tmpfiles.rules = [ "d '${backupDir}' 0700 root root - -" ];

  services.restic.backups = {
    invoiceplane = {
      paths = [
        backupDir
        "/var/lib/invoiceplane/billing.faenix.eu"
      ];
      timerConfig = {
        OnCalendar = "*-*-* 00:00:00 Etc/UTC";
      };
      initialize = true;
      passwordFile = config.age.secrets."restic-password.age".path;
      # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
      repository = "rclone:cloud.pub.solar:/Backups/InvoicePlane";
      backupPrepareCommand = ''
        ${pkgs.sudo}/bin/sudo -u invoiceplane ${pkgs.mariadb-client}/bin/mariadb-dump --all-databases --user=invoiceplane > "${backupDir}/invoiceplane-mariadb-dump.sql"
      '';
      rcloneConfigFile = config.age.secrets."fae-rclone.conf.age".path;
    };
  };
}