{
  pkgs,
  service_configs,
  username,
  ...
}:
let
  owntracks_pkg = pkgs.owntracks-recorder.overrideAttrs (old: {
    installPhase = old.installPhase + ''
      mkdir -p $out/usr/share/ot-recorder
      cp -R docroot/* $out/usr/share/ot-recorder'';
  });
in
{
  users.groups.owntracks = { };
  users.users.owntracks = {
    isNormalUser = true;
    group = "owntracks";
  };

  systemd.services.owntracks = {
    enable = true;
    description = "Store and access data published by OwnTracks apps";
    wantedBy = [ "multi-user.target" ];

    serviceConfig = {
      User = "owntracks";
      Group = "owntracks";
      WorkingDirectory = "${owntracks_pkg}";
      ExecStart = "${owntracks_pkg}/bin/ot-recorder -S ${service_configs.owntracks.data_dir} --doc-root usr/share/ot-recorder --http-port ${builtins.toString service_configs.ports.owntracks} --port 0";
    };
  };

  systemd.tmpfiles.rules = [
    "d ${service_configs.owntracks.data_dir} 0770 owntracks owntracks"
  ];

  services.caddy.virtualHosts."owntracks.${service_configs.https.domain}".extraConfig = ''
    ${builtins.readFile ../secrets/owntracks_caddy_auth}
    reverse_proxy :${builtins.toString service_configs.ports.owntracks}
  '';

  users.users.${username}.extraGroups = [
    "owntracks"
  ];
}