{
  sources,
  lib,
  pkgs,
  config,
  ...
}:
{
  services.django.ragb = {
    enable = true;
    src = pkgs.ragb-src + "/frontend";
    settings = {
      DEBUG = false;
      WEBSOCKET_ENDPOINT = "https://agb.hackens.org/api";
      ALLOWED_HOSTS = [
        "127.0.0.1"
        "agb.hackens.org"
      ];
      DATABASES = {
        "default" = {
          "ENGINE" = "django.db.backends.sqlite3";
          "NAME" = "/var/lib/django-ragb/ragb_frontend.sqlite3";
        };
      };
    };
    processes = 2;
    threads = 4;
    port = 9991;
    extraPackages = p: [
      p.authens
      p.pyjwt
    ];
    secrets = {
      SECRET_KEY = config.age.secrets.ragb.path;
      JWT_SECRET = config.age.secrets.ragbJWT.path;
    };
  };
  services.nginx.virtualHosts."agb.hackens.org" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/" = {
        proxyPass = "http://localhost:9991";
      };
      "/api" = {
        proxyPass = "http://localhost:9999";
        proxyWebsockets = true;
      };
      "/static".root = config.services.django.ragb.staticAssets;
      "= /api-docs" = {
        return = "302 /api-docs/";
      };
      "/api-docs/" = {
        alias = "${pkgs.ragb-src + "/api-docs/"}/";
        extraConfig = "autoindex on;";
      };
      "= /api-docs/patch.json".alias = pkgs.ragb-src + "/frontend/patch.json";
    };
  };

  systemd.services.django-ragb.serviceConfig = {
    Wants = [ "ragb-backend.service" ];
  };
  systemd.services.ragb-backend = {
    script = ''
      export JWT_SECRET=$(cat $CREDENTIALS_DIRECTORY/jwt_secret)
      export BK_FILE="$STATE_DIRECTORY/data.json"
      # export RUST_LOG=info
      ${pkgs.ragb-backend}/bin/ragb-backend
    '';
    serviceConfig = {
      LoadCredential = [
        "jwt_secret:${config.age.secrets.ragbJWT.path}"
      ];
      DynamicUser = true;
    };
  };
}