{
  config,
  lib,
  ...
}:
with lib;
let
  mediaRoot = "/var/www/tandoor-recipes/media/";
in
mkIf (elem "tandoor" config.machine.services) {
  services.tandoor-recipes = {
    enable = true;
    extraConfig = {
      # https://docs.tandoor.dev/system/configuration/
      # Set explicitly so it can be referenced by web-server
      MEDIA_ROOT = mediaRoot;
      # Upstream likes to break stuff and apparently make it less insecure...
      GUNICORN_MEDIA = "0";
      SECRET_KEY_FILE = config.sops.secrets."services/tandoor/secretKey".path;
      # Useful settings
      # ENABLE_SIGNUP = "1";
      # DEBUG = "1";
      # DEBUG_TOOLBAR = "1";
      # GUNICORN_LOG_LEVEL="debug";
    };
  };
  systemd.services.tandoor-recipes.serviceConfig = {
    ReadWritePaths = [ mediaRoot ];
    WorkingDirectory = lib.mkForce "/var/lib/tandoor-recipes";
  };
  sops.secrets."services/tandoor/secretKey" = {
    owner = "tandoor_recipes";
    group = "tandoor_recipes";
  };
}