{
  config,
  serverphone,
  system,
  lib,
  ...
}: {
  config = lib.mkIf config.soispha.secrets.enable {
    services.serverphone = {
      package = "${serverphone.packages.${system}.default}";
      enable = true;
      domain = "localhost";
      configureDoas = true;
      acceptedSshKeys = [
        "AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME"
      ];
      authorized = {
        acceptedGpgKeys = [
          {
            source = ./keys/key_1;
            trust = "ultimate";
          }
          {
            source = ./keys/key_2;
            trust = "ultimate";
          }
        ];
      };
      caCertificate = "${./certificates/ca.crt}";
      certificate = "${./certificates/server.crt}";
      privateKey = config.age.secrets.serverphoneServer.path;
      certificateRequest = {
        acceptedUsers = [
          "soispha $argon2id$v=19$m=19456,t=2,p=1$EvhPENIBqL5b1RO5waNMWA$pJ8vDrCNJKDlqwB5bVDLjHVPEXm9McQhtt9OXSD8Zkc"
        ];
        caPrivateKey = config.age.secrets.serverphoneCa.path;
      };
    };

    users.users.serverphone = {
      group = "serverphone";
      isSystemUser = true;
      home = "/run/serverphone";
    };
    users.groups.serverphone = {
      members = ["serverphone"];
    };
  };
}