{
  config,
  lib,
  pkgs,
  ...
}:

let
  inherit (lib) mapAttrs' nameValuePair;

  host = "s3.dgnum.eu";
  webHost = "cdn.dgnum.eu";

  data_dir = "/data/slow/garage/data";
  metadata_dir = "/data/fast/garage/meta";

  domains = [
    "bandarretdurgence.ens.fr"
    "boussole-sante.normalesup.eu"
    "lanuit.ens.fr"
    "simi.normalesup.eu"
  ];

  buckets = [
    "monorepo-terraform-state"

    "banda-website"
    "castopod-dgnum"
    "hackens-website"
    "nuit-website"
    "peertube-videos-dgnum"
  ] ++ domains;

  mkHosted = host: builtins.map (b: "${b}.${host}");

  ports = {
    admin_api = 3903;
    k2v_api = 3904;
    rpc = 3901;
    s3_api = 3900;
    s3_web = 3902;
  };
in
{
  dgn-web.internalPorts = mapAttrs' (name: nameValuePair "garage-${name}") ports;

  services.garage = {
    enable = true;

    package = pkgs.garage_1_0_1;

    settings = {
      inherit data_dir metadata_dir;

      db_engine = "lmdb";

      replication_mode = "none"; # TODO: deprecated
      compression_level = 7;

      rpc_bind_addr = "[::]:${toString ports.rpc}";
      rpc_public_addr = "127.0.0.1:${toString ports.rpc}";

      s3_api = {
        s3_region = "garage";
        api_bind_addr = "127.0.0.1:${toString ports.s3_api}";
        root_domain = ".${host}";
      };

      s3_web = {
        bind_addr = "127.0.0.1:${toString ports.s3_web}";
        root_domain = ".${webHost}";
        index = "index.html";
      };

      k2v_api.api_bind_addr = "[::]:${toString ports.k2v_api}";

      admin.api_bind_addr = "127.0.0.1:${toString ports.admin_api}";
    };

    environmentFile = config.age.secrets."garage-environment_file".path;
  };

  systemd.services.garage.serviceConfig = {
    User = "garage";
    ReadWriteDirectories = [
      data_dir
      metadata_dir
    ];
    TimeoutSec = 600;
  };

  users.users.garage = {
    isSystemUser = true;
    group = "garage";
  };
  users.groups.garage = { };

  services.nginx.virtualHosts = {
    "s3-admin.dgnum.eu" = {
      enableACME = true;
      forceSSL = true;

      locations."/".extraConfig = ''
        proxy_pass http://127.0.0.1:${toString ports.admin_api};
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
      '';
    };

    ${host} = {
      enableACME = true;
      forceSSL = true;

      serverAliases = mkHosted host buckets;

      locations."/".extraConfig = ''
        proxy_pass http://127.0.0.1:${toString ports.s3_api};
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        # Disable buffering to a temporary file.
        proxy_max_temp_file_size 0;
        client_max_body_size 5G;
      '';
    };

    ${webHost} = {
      enableACME = true;
      forceSSL = true;

      serverAliases = domains ++ (mkHosted webHost buckets);

      locations."/".extraConfig = ''
        proxy_pass http://127.0.0.1:${toString ports.s3_web};
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
      '';
    };
  };
}