{
  inputs,
  config,
  pkgs,
  ...
}:
let
  domain = "glom-inventory.newedge.house";
in
{
  clan.core.settings.machine.description = "VM machine that host Inventree system for Glom";

  nixpkgs.hostPlatform = {
    system = "x86_64-linux";
  };

  clan.core.vars.generators.inventree = {
    files = {
      secret-key = {
        owner = "inventree";
        group = "inventree";
        secret = true;
      };
      oidc-key = {
        owner = "inventree";
        group = "inventree";
        secret = true;
      };
      admin-password = {
        owner = "inventree";
        group = "inventree";
        secret = true;
      };
    };
    runtimeInputs = [
      pkgs.pwgen
      pkgs.xkcdpass
    ];
    script = ''
      pwgen -s 32 1 > $out/secret-key
      pwgen -s 32 1 > $out/oidc-key
      xkcdpass --numwords 4 --delimiter - --count 1 | tr -d "\n" > "$out"/admin-password
    '';
  };

  clan.core.vars.generators.nginx = {
    files = {
      sslCert = {
        owner = "nginx";
        group = "nginx";
        secret = true;
      };
      sslKey = {
        owner = "nginx";
        group = "nginx";
        secret = true;
      };
    };

    runtimeInputs = [
      pkgs.openssl
    ];
    script = ''
      openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
        -keyout $out/sslKey \
        -out $out/sslCert \
        -subj "/CN=localhost"
    '';
  };

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  services.inventree = {
    enable = true;
    inherit domain;
    secretKeyFile = config.clan.core.vars.generators.inventree.files.secret-key.path;
    adminPasswordFile = config.clan.core.vars.generators.inventree.files.admin-password.path;
    settings.INVENTREE_SITE_URL = "https://${domain}";
  };

  system.stateVersion = "25.11";
  clan.core.sops.defaultGroups = [ "admins" ];
}