{
  config,
  pkgs,
  lib,
  ...
}: let
  cfg = config.services.bluesky-relay;
in
  with lib; {
    options.services.bluesky-relay = {
      enable = mkEnableOption "relay server";
      package = mkPackageOption pkgs "bluesky-relay" {};
    };
    config = mkIf cfg.enable {
      systemd.services.bluesky-relay = {
        description = "bluesky relay";
        after = ["network.target" "pds.service"];
        wantedBy = ["multi-user.target"];

        serviceConfig = {
          User = "relay";
          Group = "relay";
          StateDirectory = "relay";
          StateDirectoryMode = "0755";
          Environment = [
            "RELAY_ADMIN_PASSWORD=password"
            "RELAY_PLC_HOST=https://plc.tngl.boltless.dev"
            "DATABASE_URL=sqlite:///var/lib/relay/relay.sqlite"
            "RELAY_IP_BIND=:2470"
            "RELAY_PERSIST_DIR=/var/lib/relay"
            "RELAY_DISABLE_REQUEST_CRAWL=0"
            "RELAY_INITIAL_SEQ_NUMBER=1"
            "RELAY_ALLOW_INSECURE_HOSTS=1"
          ];
          ExecStart = "${getExe cfg.package} serve";
          Restart = "always";
          RestartSec = 5;
        };
      };
      users = {
        users.relay = {
          group = "relay";
          isSystemUser = true;
        };
        groups.relay = {};
      };
    };
  }