{ config, ... }:
let secrets = config.age.secrets;
in
{

  # this unit is broken and useless. I don't know how to not install
  # it, so let's mask it.
  systemd.services.mdmonitor.enable = false;

  my.services = {
    samba = {
      enable = true;
      publicShares = [ "/data/fast/music" "/data/fast/videos" ];
    };
    navidrome = {
      enable = true;
      vhostName = "music.fcuny.xyz";
      musicFolder = "/data/fast/music";
    };
    unifi = {
      enable = true;
      vhostName = "unifi.fcuny.xyz";
    };
    gitea = {
      enable = true;
      stateDir = "/var/lib/gitea";
    };
    drone = {
      enable = true;
      vhostName = "ci.fcuny.net";
      runners = [ "docker" "exec" ];
      sharedSecretFile = secrets."drone/secrets".path;
    };
    prometheus = { enable = true; };
    grafana = {
      enable = true;
      vhostName = "dash.fcuny.xyz";
    };
    rclone = { enable = true; };
    nginx = { enable = true; };
    transmission = {
      enable = true;
      vhostName = "bt.fcuny.xyz";
    };
    metrics-exporter = { enable = true; };
    syncthing.enable = true;
    sendsms.enable = true;
    backup = {
      enable = true;
      repository = "/data/slow/backups/systems";
      timerConfig = { OnCalendar = "00:15"; };
      passwordFile = secrets."restic/repo-systems".path;
      paths =
        [
          "/data/fast/music"
          "/data/fast/photos"
          "/home"
        ];
      exclude = [
        "/home/fcuny/.cache"
        "/home/fcuny/import"
        "/home/fcuny/media/videos"
      ];
    };
  };
}