{ lib, pkgs, config, ... }:
{
  security.acme = {
    acceptTerms = true;
    defaults.email = "fedi@cdaut.de";
  };

  # set up smtp pass
  sops = {
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    secrets.smtp_pass = {
      sopsFile = ../../secrets/mastodon/secrets.yaml;
    };
  };

  services.mastodon = {
    enable = true;
    streamingProcesses = 1;
    localDomain = "puppyplaypissparty.de";
    configureNginx = true;

    smtp = {
      fromAddress = "fedi@cdaut.de";
      host = "mail.cdaut.de";
      user = "fedi@cdaut.de";
      port = 587;
      authenticate = true;
      passwordFile = config.sops.secrets.smtp_pass.path;
    };

    database = {
      createLocally = true;
    };
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
}