{
  lib,
  config,
  ...
}: let
  dataDirectory = "/var/lib/actual/";
in {
  options.services.actual = {
    subdomain = lib.mkOption {
      type = lib.types.str;
      default = "actual";
      description = "subdomain of base domain that actual will be hosted at";
    };
  };

  config = lib.mkIf config.services.actual.enable (lib.mkMerge [
    {
      systemd.tmpfiles.rules = [
        "d ${dataDirectory} 2770 actual actual"
      ];
      host = {
        reverse_proxy.subdomains.${config.services.actual.subdomain} = {
          target = "http://localhost:${toString config.services.actual.settings.port}";
        };
      };

      services.actual = {
        settings = {
          ACTUAL_DATA_DIR = dataDirectory;
        };
      };
    }
    (lib.mkIf config.services.fail2ban.enable {
      # TODO: configuration for fail2ban for actual
    })
    (lib.mkIf config.host.impermanence.enable {
      assertions = [
        {
          assertion = config.services.actual.settings.ACTUAL_DATA_DIR == dataDirectory;
          message = "actual data location does not match persistence";
        }
      ];
      environment.persistence."/persist/system/root" = {
        directories = [
          {
            directory = dataDirectory;
            user = "actual";
            group = "actual";
          }
        ];
      };
    })
  ]);
}