{
  service_configs,
  lib,
  ...
}:
{
  imports = [
    (lib.serviceMountWithZpool "traccar" service_configs.zpool_ssds [
      "/var/lib/private/traccar"
    ])
    (lib.serviceFilePerms "traccar" [
      "Z /var/lib/private/traccar 0700 root root"
    ])
    (lib.mkCaddyReverseProxy {
      subdomain = "traccar";
      port = service_configs.ports.private.traccar_web.port;
    })
  ];

  services.traccar = {
    enable = true;
    settings = {
      web.port = toString service_configs.ports.private.traccar_web.port;

      # Only enable OsmAnd protocol (phone app). Prevents Traccar from
      # opening 200+ default protocol ports that conflict with other services.
      protocols.enable = "osmand";
      osmand.port = toString service_configs.ports.public.traccar_tracking.port;
    };
  };

  # OsmAnd tracking port must be reachable from the internet for the phone app
  networking.firewall.allowedTCPPorts = [
    service_configs.ports.public.traccar_tracking.port
  ];
}