{
  lib,
  pkgs,
  config,
  ...
}:
with lib; {
  security.acme.certs."soju.posixlycorrect.com" = {
    reloadServices = ["soju.service"];
    group = "soju";
  };

  networking.firewall.allowedTCPPorts = [6697];

  services.soju = let
    sojuCertDir = config.security.acme.certs."soju.posixlycorrect.com".directory;
  in {
    enable = true;
    hostName = "soju.posixlycorrect.com";
    listen = ["ircs://[::]:6697"];
    tlsCertificate = "${sojuCertDir}/fullchain.pem";
    tlsCertificateKey = "${sojuCertDir}/key.pem";
  };

  systemd.services.soju = {
    after = ["acme-soju.posixlycorrect.com.service"];
    serviceConfig = {
      DynamicUser = mkForce false; # fuck dynamic users
      User = "soju";
      Group = "soju";
      ProtectSystem = "strict";
      ProtectHome = "read-only";
      PrivateTmp = true;
      RemoveIPC = true;
    };
  };

  users = {
    users.soju = {
      isSystemUser = true;
      group = "soju";
    };
    groups.soju = {};
  };
}