{
  config,
  pkgs,
  inputs,
  lib,
  ...
}: let
  newestPackages = inputs.nixpkgs-master.legacyPackages.${pkgs.system};
  package = newestPackages.mastodon;
  domain = "peninsula.industries";
  path = "/var/lib/mastodon/";
  mailgunSmtpSecretName = "mastodon-mailgun-smtp-password";
  mailgunSmtpPasswordPath = "/run/secrets/${mailgunSmtpSecretName}";
  mastodonDbSecretName = "mastodon-db";
  mastodonDbSecretPath = "/run/secrets/${mastodonDbSecretName}";
  mastodonEncryptionSecretName = "mastodon-encryption";
  mastodonEncryptionSecretPath = "/run/secrets/${mastodonEncryptionSecretName}";
  uid = 2049;
  gid = 3049;
  systemUserName = "mastodon";
  systemGroupName = "mastodon";
  users = {
    users."${systemUserName}" = {
      inherit uid;
      isSystemUser = true;
      isNormalUser = false;
      group = systemGroupName;
    };
    groups."${systemGroupName}" = {
      inherit gid;
      members = ["${systemUserName}" "nginx"];
    };
  };
  tootctlPath = "/run/current-system/sw/bin/mastodon-tootctl";
  secretSettings = {
    owner = systemUserName;
    group = systemGroupName;
  };
  publicPath = "${path}/public-system/";
in {
  imports = [../nginx.nix];

  sops.secrets."${mailgunSmtpSecretName}" =
    {
      sopsFile = ./mailgun.sops.yaml;
      path = mailgunSmtpPasswordPath;
    }
    // secretSettings;
  sops.secrets."${mastodonDbSecretName}" =
    {
      sopsFile = ./mastodon-db.sops.yaml;
      path = mastodonDbSecretPath;
    }
    // secretSettings;

  sops.secrets."${mastodonEncryptionSecretName}" =
    {
      sopsFile = ./mastodon.encryption.env.sops;
      format = "binary";
      path = "${mastodonEncryptionSecretPath}";
    }
    // secretSettings;

  inherit users;

  systemd.services.mastodon-make-path = {
    script = ''
      mkdir -p ${path}
      chown -R ${systemUserName}:${systemGroupName} ${path}
      mkdir -p ${publicPath}
      chmod -R o-rwx ${publicPath}
      chmod -R g-rwx ${publicPath}
      chmod -R g+X ${publicPath}
      chmod -R g+r ${publicPath}
      chmod -R u+rwX ${publicPath}
    '';
    serviceConfig = {Type = "oneshot";};
    before = ["container@mastodon.service"];
  };

  systemd.services.mastodon-media-auto-remove = {
    description = "Mastodon media auto remove";
    serviceConfig = {
      User = systemUserName;
      Group = systemGroupName;
      Type = "oneshot";
      EnvironmentFile = "/var/lib/mastodon/.secrets_env";
    };
    script = ''
      ${tootctlPath} media remove --days=8 --prune-profiles --include-follows -c1
      ${tootctlPath} media remove --days=8 --remove-headers --include-follows -c1
      ${tootctlPath} preview_cards remove --days=8
      ${tootctlPath} media remove-orphans --fix-permissions
    '';
    startAt = "daily";
  };
  services.mastodon = {
    enable = true;
    inherit package;
    localDomain = "${domain}";
    user = systemUserName;
    group = systemGroupName;
    mediaAutoRemove.enable = false;
    streamingProcesses = 4;
    webProcesses = 2;
    sidekiqThreads = 16;
    smtp = {
      host = "smtp.eu.mailgun.org";
      port = 465;
      authenticate = true;
      user = "postmaster@${domain}";
      fromAddress = "Peninsula Industries Mastodon <mastodon@${domain}>";
      createLocally = false;
      passwordFile = "${mailgunSmtpPasswordPath}";
    };
    extraConfig = {
      SMTP_TLS = "true";
      SMTP_ENABLE_STARTTLS_AUTO = "true";
      SINGLE_USER_MODE = "true";
      RAILS_SERVE_STATIC_FILES = "true";
      AUTHORIZED_FETCH = "true";
      DISALLOW_UNAUTHENTICATED_API_ACCESS = "true";
    };
    extraEnvFiles = [
      "${mastodonEncryptionSecretPath}"
    ];
    configureNginx = true;
    enableUnixSocket = true;
    database = {
      passwordFile = mastodonDbSecretPath;
    };
  };
}