{
  config,
  lib,
  ...
}:
let
  inherit (lib.lists) singleton;
  inherit (lib.modules) mkIf;
  inherit (lib.options) mkEnableOption;
  inherit (builtins) toString;
  port = 3867;
  httpd_port = 3868;
  domain = "seed.faukah.com";

  cfg = config.modules.system.services.radicle;
in
{
  options.modules.system.services.radicle.enable = mkEnableOption "radicle";
  config.services = mkIf cfg.enable {
    nginx = {
      enable = true;
      virtualHosts.${domain} = {
        addSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:${toString httpd_port}";
        };
      };
    };
    radicle = {
      enable = true;
      checkConfig = true;
      privateKeyFile = "/etc/ssh/ssh_host_ed25519_key";
      publicKey = "/etc/ssh/ssh_host_ed25519_key.pub";
      httpd = {
        enable = true;
        listenPort = httpd_port;
      };
      settings = {
        preferredSeeds = [
          "z6MkrLMMsiPWUcNPHcRajuMi9mDfYckSoJyPwwnknocNYPm7@iris.radicle.xyz:8776"
          "z6Mkmqogy2qEM2ummccUthFEaaHvyYmYBYh3dbe9W4ebScxo@rosa.radicle.xyz:8776"
        ];
        node = {
          alias = domain;
          listen = singleton "[::]:${toString port}";
          externalAddresses = singleton "${domain}:${toString port}";
          seedingPolicy = {
            default = "block";
            scope = "all";
          };
        };
      };
    };
  };
}