{
  config,
  tools,
  ...
}:
let
  name = "finances";
  db_ip = tools.build_ip "db";
in
{
  environment.etc."firefly-iii/app.key" = {
    source = config.age.secrets.finances-app-key.path;
    user = "firefly-iii";
    group = "nginx";
  };
  services.firefly-iii = {
    enable = true;
    enableNginx = true;
    settings = {
      SITE_OWNER = config.globals.master.email;
      DB_CONNECTION = "pgsql";
      DB_HOST = db_ip;
      DB_PORT = 5432;
      DB_DATABASE = name;
      DB_USERNAME = name;
      DB_PASSWORD = config.my-lxc.finances.db.password;
      AUTHENTICATION_GUARD = "remote_user_guard";
      AUTHENTICATION_GUARD_HEADER = "HTTP_REMOTE_EMAIL";
      AUTHENTICATION_GUARD_EMAIL = "HTTP_REMOTE_EMAIL";
      APP_URL = "https://${tools.build_hostname "finances"}";
      APP_KEY_FILE = "/etc/firefly-iii/app.key";
      TRUSTED_PROXIES = tools.build_ip "proxy";
      TZ = config.globals.default_tz;
    };
  };
}