{
  pkgs,
  config,
  lib,
  ...
}:
let
  s = config.sops.secrets;

  dataDir = "/var/lib/minio";

  s3Port = 14749;
  consolePort = 10601;

  secretConfig = {
    owner = "minio";
    group = "minio";
    restartUnits = [ "minio.service" ];
    sopsFile = ../../secrets/monolith/default.yaml;
  };
in
{
  services.minio = {
    enable = true;

    dataDir = [ dataDir ];

    listenAddress = "0.0.0.0:${toString s3Port}";
    consoleAddress = "127.0.0.1:${toString consolePort}";

    rootCredentialsFile = config.sops.secrets."minio/root-credentials".path;
  };

  systemd.tmpfiles.rules = [
    "d ${dataDir} 0755 minio minio -"
  ];

  networking.firewall.allowedTCPPorts = [ s3Port ];

  sops.secrets = {
    "minio/root-credentials" = secretConfig;
  };
}