{
  config,
  pkgs,
  ...
}:
let
  name = "panel";
in
{
  imports = [
    (import ../../../panel { }).module
  ];

  security.acme = {
    acceptTerms = true;
    defaults.email = "beheer@procolix.com";
  };

  # start SSH agent for root user
  systemd.services.ssh-agent = {
    description = "SSH Agent";
    wantedBy = [ "default.target" ];
    unitConfig.ConditionUser = "!@system";
    serviceConfig = {
      ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent";
      ExecStart = "${pkgs.openssh}/bin/ssh-agent -a %t/ssh-agent";
      StandardOutput = "null";
      Type = "forking";
      Restart = "on-failure";
      SuccessExitStatus = "0 2";
    };
    environment.DISPLAY = "fake"; # required to make ssh-agent start $SSH_ASKPASS
  };

  environment.extraInit = ''
    if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then
      export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent"
    fi
  '';

  home-manager = {
    users.root.home = {
      stateVersion = "25.05";
      file.".ssh/config" = {
        text = ''
          IdentityFile /etc/ssh/ssh_host_ed25519_key
        '';
      };
    };
  };

  services.${name} = {
    enable = true;
    production = true;
    domain = "demo.fediversity.eu";
    # FIXME: make it work without this duplication
    settings =
      let
        cfg = config.services.${name};
      in
      {
        STATIC_ROOT = "/var/lib/${name}/static";
        DEBUG = false;
        ALLOWED_HOSTS = [
          cfg.domain
          cfg.host
          "localhost"
          "[::1]"
        ];
        CSRF_TRUSTED_ORIGINS = [ "https://${cfg.domain}" ];
        COMPRESS_OFFLINE = true;
        LIBSASS_OUTPUT_STYLE = "compressed";
      };
    secrets = {
      SECRET_KEY = config.age.secrets.panel-secret-key.path;
    };
    port = 8000;
  };
}