{ config, ... }: {
  sops = {
    templates."atticd.env" = {
      owner = "root";
      group = "root";
      mode = "0400";
      content = ''
        ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=${config.sops.placeholder."attic/server-token-rs256-secret-base64"}
      '';
    };
  };

  sops.secrets."attic/server-token-rs256-secret-base64" = {
    sopsFile = ../../../../secrets/attic-secrets.yaml;
    owner = "root";
    group = "root";
    mode = "0400";
  };

  services.atticd = {
    enable = true;
    environmentFile = config.sops.templates."atticd.env".path;
    settings = {
      listen = "[::]:8080";
      jwt = { };
    };
  };

  chiasson.system.networking.firewall.allowedTCPPorts = [ 8080 ];
}