{ pkgs, ... }: {
  services.garage = {
    enable = true;
    package = pkgs.garage_0_8;
    settings = {
      db_engine = "lmdb";
      block_size = (10 * 1024 * 1024); # 10MB
      replication_mode = "none";
      rpc_bind_addr = "[::1]:3901";
      rpc_public_addr = "[::1]:3901";
      rpc_secret = "f5b8ede0abe0a3d454d96e8b352e29a1d94522b64274d23b256d57482441ccc1";

      s3_api = {
        s3_region = "garage";
        api_bind_addr = "[::1]:3900";
        root_domain = ".s3.infra.newtype.fr";
      };

      s3_web = {
        bind_addr = "[::1]:3902";
        root_domain = ".web.infra.newtype.fr";
        index = "index.html";
      };
    };
  };

  services.nginx = {
    enable = true;
    virtualHosts."s3.infra.newtype.fr" = {
      forceSSL = true;
      enableACME = true;
      locations."/".proxyPass = "http://[::1]:3900/";
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];
}