{
  pkgs,
  config,
  ...
}: let
  mountdir = "/var/media/dungflix";

  file = ''
    [dungflix]
    type = b2

    [dungflix-vault]
    type = crypt
    remote = dungflix:dungflix-bucket
  '';
in {
  age.secrets = {
    dungflix_bucket_account_id.file = ../../secrets/dungflix_bucket_account_id.age;
    dungflix_bucket_account_key.file = ../../secrets/dungflix_bucket_account_key.age;
    dungflix_crypt_remote_obscured_pass.file = ../../secrets/dungflix_crypt_remote_obscured_pass.age;
  };
  systemd.services.dungflix-mount = {
    description = "Mount the Backblaze B2 media store";
    wantedBy = ["multi-user.target"];
    path = [pkgs.fuse];
    preStart = ''
      mkdir -p -m 777 ${mountdir}
    '';
    script = ''
      export RCLONE_B2_ACCOUNT=''$(cat ${config.age.secrets.dungflix_bucket_account_id.path})
      export RCLONE_B2_KEY=''$(cat ${config.age.secrets.dungflix_bucket_account_key.path})
      export RCLONE_CRYPT_PASSWORD=''$(cat ${config.age.secrets.dungflix_crypt_remote_obscured_pass.path})
      ${pkgs.rclone}/bin/rclone --config="${pkgs.writeText "" file}" mount dungflix-vault: ${mountdir} \
        --transfers 32 \
        --vfs-cache-mode full \
        --vfs-cache-max-age 168h \
        --vfs-cache-max-size 100G \
        --allow-other \
        --no-modtime \
        --buffer-size 2G \
        --fast-list \
        --rc \
        --rc-no-auth \
        -vv
    '';
    postStart = ''
      sleep 5
      ${pkgs.rclone}/bin/rclone rc vfs/refresh recursive=true _async=true
    '';
  };
}