{
  config,
  lib,
  pkgs,
  ...
}: let
  cfg = config.services.invidious;
in {
  services.invidious = {
    enable = true;
    database = {
      createLocally = true;
    };
    domain = "invidious.vhack.eu";
    nginx.enable = true;
    extraSettingsFile = "$CREDENTIALS_DIRECTORY/hmac";

    settings = {
      check_tables = true;
    };
  };
  systemd.services.invidious.serviceConfig = {
    LoadCredential = "hmac:${config.age.secrets.invidiousHmac.path}";

    script = let
      # taken from the invidious module
      settingsFormat = pkgs.formats.json {};
      settingsFile = settingsFormat.generate "invidious-settings" cfg.settings;

      jqFilter =
        "."
        + lib.optionalString (cfg.database.host != null) "[0].db.password = \"'\"'\"$(cat ${lib.escapeShellArg cfg.database.passwordFile})\"'\"'\""
        + " | .[0]"
        + lib.optionalString (cfg.extraSettingsFile != null) " * .[1]";

      # don't escape extraSettingsFile, to allow variable substitution
      jqFiles =
        settingsFile
        + lib.optionalString (cfg.extraSettingsFile != null) " \"${cfg.extraSettingsFile}\"";
    in ''
      export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})"
      exec ${cfg.package}/bin/invidious
    '';
  };
}