{
  config,
  pkgs,
  lib,
  cfg,
  doctrine,
  ...
}:
with lib; {
  security.acme.certs."${cfg.fullyQualifiedDomain}" = {
    reloadServices = ["soju.service"];
    group = "soju";
  };

  networking.firewall.allowedTCPPorts = [cfg.port];

  services.soju = let
    sojuCertDir = config.security.acme.certs."${cfg.fullyQualifiedDomain}".directory;
  in {
    enable = true;
    hostName = "${cfg.fullyQualifiedDomain}";
    listen = ["ircs://[::]:${toString cfg.port}"];
    tlsCertificate = "${sojuCertDir}/fullchain.pem";
    tlsCertificateKey = "${sojuCertDir}/key.pem";
  };

  systemd.services.soju = {
    after = ["acme-${cfg.fullyQualifiedDomain}.service"];
    serviceConfig = {
      DynamicUser = mkForce false; # fuck dynamic users
      User = "soju";
      Group = "soju";
      ProtectSystem = "strict";
      ProtectHome = "read-only";
      PrivateTmp = true;
      RemoveIPC = true;
    };
  };

  users = {
    users.soju = {
      isSystemUser = true;
      group = "soju";
    };
    groups.soju = {};
  };
}