{ pkgs, modulesPath, ... }: {

  imports = [
    ../fediversity
    (modulesPath + "/virtualisation/qemu-vm.nix")
  ];

  fediversity = {
    enable = true;
    domain = "localhost";
    pixelfed.enable = true;
  };

  networking.firewall.allowedTCPPorts = [ 80 ];
  services.pixelfed = {
    # TODO: secrets management!
    secretFile = pkgs.writeText "secrets.env" ''
      APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
    '';
    settings = {
      OPEN_REGISTRATION = true;
      FORCE_HTTPS_URLS = false;
    };
    # I feel like this should have an `enable` option and be configured via `services.nginx` rather than mirroring those options in services.pixelfed.nginx
    # TODO: If that indeed makes sense, upstream it.
    nginx = {
      # locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlFor "pixelfed"}/public/";
    };
  };
  virtualisation.memorySize = 2048;
  virtualisation.forwardPorts = [
    {
      from = "host";
      host.port = 8000;
      guest.port = 80;
    }
  ];
}