{
  config,
  lib,
  service_configs,
  site_config,
  ...
}:
{
  imports = [
    # firefly-iii has no service of its own — phpfpm-firefly-iii.service runs
    # the app and firefly-iii-setup.service runs migrations/cache rebuild.
    # Wire the zfs mount into firefly-iii-setup so the upstream `requiredBy`
    # chain (setup → phpfpm) inherits the dependency.
    (lib.serviceMountWithZpool "firefly-iii-setup" service_configs.zpool_ssds [
      service_configs.firefly_iii.dataDir
    ])
  ];

  services.firefly-iii = {
    enable = true;
    dataDir = service_configs.firefly_iii.dataDir;
    # Run under the caddy group so caddy can read the php-fpm unix socket
    # (default mode 0660, owner = user, group = group).
    group = "caddy";
    virtualHost = service_configs.firefly_iii.domain;
    settings = {
      APP_ENV = "production";
      APP_KEY_FILE = config.age.secrets.firefly-iii-app-key.path;
      SITE_OWNER = site_config.contact_email;

      # PostgreSQL via local Unix socket + peer auth (DB_HOST defaults to
      # /run/postgresql for pgsql, no password needed).
      DB_CONNECTION = "pgsql";
      DB_DATABASE = "firefly-iii";
      DB_USERNAME = "firefly-iii";

      # Trust X-Forwarded-* from caddy on the loopback.
      TRUSTED_PROXIES = "127.0.0.1,::1";
    };
  };

  services.postgresql = {
    ensureDatabases = [ "firefly-iii" ];
    ensureUsers = [
      {
        name = "firefly-iii";
        ensureDBOwnership = true;
      }
    ];
  };

  services.caddy.virtualHosts.${service_configs.firefly_iii.domain}.extraConfig = ''
    encode zstd gzip

    root * ${config.services.firefly-iii.package}/public
    php_fastcgi unix/${config.services.phpfpm.pools.firefly-iii.socket}
    file_server
  '';
}