{ config, ... }:
{
  deployment = {
    mem = 2 * 1024;
    vcpu = 8;
    needForSpeed = true;
  };
  system.stateVersion = "22.11";
  networking.hostName = "buzzrelay";

  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets = {
    "buzzrelay/privKey".owner = config.services.buzzrelay.user;
    "buzzrelay/pubKey".owner = config.services.buzzrelay.user;
  };
  services.buzzrelay = {
    enable = true;
    hostName = "relay.fedi.buzz";
    privKeyFile = config.sops.secrets."buzzrelay/privKey".path;
    pubKeyFile = config.sops.secrets."buzzrelay/pubKey".path;
  };
  services.postgresql.settings.log_min_duration_statement = 50;
  services.nginx = {
    enable = true;
    virtualHosts."relay.fedi.buzz" = {
      forceSSL = true;
      enableACME = true;
      locations."/".proxyPass = "http://127.0.0.1:${toString config.services.buzzrelay.listenPort}/";
    };
  };
}