{
  domainName,
  ...
}:
{
  services.tide = {
    enable = true;
    domain = "tide.${domainName}";
    apiDomain = "apitide.${domainName}";
    secretsFile = "/run/secrets/tide-env";
    # Reuse the wildcard cert already issued for *.${domainName}
    # in configuration.nix instead of requesting a new one per
    # subdomain.
    nginx.useACMEHost = null;
  };

  # Don't fail evaluation when secrets/tide.yaml is missing (e.g.
  # before the operator has encrypted it on a fresh checkout).
  # sops-install-secrets will still error at activation time if
  # the file is absent, which is the right place for that failure.
  sops.validateSopsFiles = false;

  # Use the host's age key generated with age-keygen, not the
  # SSH-host-key-derived identity sops-nix falls back to by default.
  # The encrypted file's recipient is the public key paired with
  # this private key.
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.sshKeyPaths = [ ];
  sops.gnupg.sshKeyPaths = [ ];

  sops.secrets."tide-env" = {
    sopsFile = ./secrets/tide.yaml;
    # phpfpm reads this via EnvironmentFile, which runs as root
    # before dropping to the tide user, so root readable is enough.
    mode = "0400";
  };
}