{ lib, ... }:
{
  _class = "clan.service";
  manifest.name = "actual-budget";
  manifest.description = "A local-first personal finance app ";
  manifest.categories = [ "System" ];

  roles.default = {
    interface.options = {
      domain = lib.mkOption {
        type = lib.types.str;
        default = "budget";
        description = "Sub domain for Actual Budget.";
      };
    };

    perInstance =
      {
        settings,
        ...
      }:
      {
        nixosModule =
          {
            config,
            ...
          }:
          let
            domain = "${settings.domain}.${config.networking.fqdn}";
          in
          {
            services.actual = {
              enable = true;
              openFirewall = true;
              settings = {
                port = 5006;
                allowedLoginMethods = [
                  "password"
                  "openid"
                ];
                trustedProxies = [ "127.0.0.1" ];
              };
            };
            services.nginx.virtualHosts."${domain}" = {
              forceSSL = true;
              useACMEHost = "${config.networking.fqdn}";
              locations."/" = {
                proxyPass = "http://localhost:${builtins.toString config.services.actual.settings.port}";
              };
            };
          };
      };
  };
}