{
  povSelf,
  pkgs,
  lib,
  config,
  hostConfig,
  ...
}:
let
  inherit (lib) types;
  cfg = lib.getAttrFromPath povSelf config;

in
{

  option = {
    type = types.bool;
    default = false;
  };

  config = lib.mkIf cfg {
    sops.secrets.acmeTSIGKey = { };

    users.users.root = {
      extraGroups = [ "ssh" ];
      openssh.authorizedKeys.keys = [
        (builtins.readFile "${pkgs.zaphyra-website}/ssh_pubkey.asc")
      ];
    };

    dns.zones."zaphyra.eu".subdomains."${lib.removeSuffix ".zaphyra.eu" config.networking.fqdn}" =
      lib.mkIf (hostConfig ? networking)
        (
          let
            networkCfg = hostConfig.networking;
          in
          {
            AAAA = lib.mkIf ((networkCfg ? ip6Address) && !networkCfg.ip6IsPrivate) [ networkCfg.ip6Address ];
            A = lib.mkIf ((networkCfg ? ip4Address) && !networkCfg.ip4IsPrivate) [ networkCfg.ip4Address ];
          }
        );

    modules = {
      presets.zaphyra = {
        syncthing.enable = lib.mkDefault true;
      };

      hardware.smartcard.enable = lib.mkDefault config.modules.presets.graphical.enable;

      services = {
        keyd.enable = lib.mkDefault config.modules.presets.graphical.enable;
        openssh = {
          enable = lib.mkDefault true;
          enableRSASupport = lib.mkDefault true;
        };
        prometheusExporters.enable = lib.mkDefault true;
        vnstat.enable = true;
        vnstat.vnstati.enable = true;
      };
    };

    modules.filesystem.impermanence.system.dirs = [ "/var/lib/acme" ];
    security.acme = {
      acceptTerms = true;
      defaults = {
        email = "letsencrypt@zaphyra.eu";
        keyType = "ec384";
        dnsProvider = "rfc2136";
        environmentFile = pkgs.writeText "acme-dns-env" ''
          RFC2136_NAMESERVER=morio.infra.zaphyra.eu
          RFC2136_TSIG_KEY=acme-nix-${config.networking.hostName}
          RFC2136_TSIG_ALGORITHM=hmac-sha384
        '';
        credentialFiles = {
          RFC2136_TSIG_SECRET_FILE = config.sops.secrets.acmeTSIGKey.path;
        };
      };
      certs."${config.networking.fqdn}" = {
        group = lib.mkIf config.services.nginx.enable "nginx";
        extraDomainNames = (
          config.services.nginx.virtualHosts
          |> lib.mapAttrsToList (
            key: config: [
              (if config ? serverAliases then config.serverAliases else [ ])
              key
            ]
          )
          |> lib.flatten
        );
      };
    };

    services = {
      timesyncd.enable = lib.mkDefault true;
      fstrim.enable = lib.mkDefault true;

      journald.extraConfig = "SystemMaxUse=2.5G";

      logind.killUserProcesses = lib.mkDefault true;

      nginx = {
        enable = lib.mkDefault true;
        recommendedGzipSettings = true;
        recommendedOptimisation = true;
        recommendedProxySettings = true;
        recommendedTlsSettings = true;
        commonHttpConfig = ''
          server_names_hash_bucket_size 64;
          charset utf-8;

          access_log off;
        '';

        virtualHosts."${config.networking.fqdn}" = {
          useACMEHost = "${config.networking.fqdn}";
          forceSSL = true;
          kTLS = true;
          default = true;
        };
      };
    };

    networking.firewall.allowedTCPPorts = [
      80
      443
    ];

    environment.systemPackages = with pkgs; [
      ghostty.terminfo
    ];
  };

}