{
  config,
  service_configs,
  lib,
  ...
}:
{
  imports = [
    (lib.serviceMountWithZpool "ntfy-sh" service_configs.zpool_ssds [
      "/var/lib/ntfy-sh"
    ])
  ];

  services.ntfy-sh = {
    enable = true;

    settings = {
      base-url = "https://${service_configs.ntfy.domain}";
      listen-http = "127.0.0.1:${builtins.toString service_configs.ports.ntfy}";
      behind-proxy = true;
      auth-default-access = "deny-all";
    };
  };

  services.caddy.virtualHosts."${service_configs.ntfy.domain}".extraConfig = ''
    reverse_proxy :${builtins.toString service_configs.ports.ntfy}
  '';

  systemd.tmpfiles.rules = [
    "Z /var/lib/ntfy-sh 0700 ${config.services.ntfy-sh.user} ${config.services.ntfy-sh.group}"
  ];
}