{
  config,
  service_configs,
  lib,
  ...
}:
{
  imports = [
    (lib.serviceMountWithZpool "mollysocket" service_configs.zpool_ssds [
      "/var/lib/private/mollysocket"
    ])
    (lib.serviceFilePerms "mollysocket" [
      "Z /var/lib/private/mollysocket 0700 root root"
    ])
  ];

  services.mollysocket = {
    enable = true;

    settings = {
      host = "127.0.0.1";
      port = service_configs.ports.private.mollysocket.port;

      # Explicitly allow our self-hosted ntfy instance.
      # Local-network endpoints are denied by default for security.
      allowed_endpoints = [ "https://${service_configs.ntfy.domain}" ];
      # allowed_uuids set via MOLLY_ALLOWED_UUIDS in environmentFile
    };

    environmentFile = config.age.secrets.mollysocket-env.path;
  };

  services.caddy.virtualHosts."${service_configs.mollysocket.domain}".extraConfig = ''
    reverse_proxy h2c://127.0.0.1:${builtins.toString service_configs.ports.private.mollysocket.port}
  '';
}