{
  povSelf,
  hostConfig,
  config,
  pkgs,
  lib,
  ...
}:

let
  inherit (lib) types;
  cfg = lib.getAttrFromPath povSelf config;

in
{

  options = {
    enable = {
      type = types.bool;
      default = false;
    };
    domain = {
      type = types.str;
      default = "zaphyra.eu";
    };
    subdomain = {
      type = types.str;
      default = "bikemap";
    };
  };

  config = lib.mkIf cfg.enable (
    let
      deployScript = pkgs.writeShellScript "deployBikemap" ''
        systemctl start deployBikemap;
        systemctl status deployBikemap;
      '';

    in
    {
      assertions = [
        {
          assertion = config.modules.services.gitolite.enable == true;
          message = "The option 'modules.services.gitolite.enable' must be enabled in order to use this module.";
        }
      ];

      dns.zones."${cfg.domain}".subdomains."${cfg.subdomain}".CNAME = [ "${config.networking.fqdn}." ];

      modules.filesystem.impermanence.system.dirs = [
        {
          directory = "/var/lib/bikemap";
          mode = "0755";
          user = "bikemap";
          group = config.modules.services.gitolite.group;
        }
      ];

      users.users."bikemap" = {
        isSystemUser = true;
        group = config.modules.services.gitolite.group;
        createHome = true;
        homeMode = "755";
        home = "/var/lib/bikemap";
      };

      security.sudo.extraRules = [
        {
          users = [ "git" ];
          commands = [
            {
              command = "${deployScript}";
              options = [
                "SETENV"
                "NOPASSWD"
              ];
            }
          ];
        }
      ];

      systemd.services.deployBikemap = {
        script = ''
          # strict mode
          set -euo pipefail
          IFS=$'\n\t'

          TMP_DIR=$(mktemp -d)
          trap "{ rm -rf "$TMP_DIR"; }" SIGINT SIGTERM ERR EXIT

          ${pkgs.git}/bin/git config --global --add safe.directory ${config.modules.services.gitolite.dataDir}/repositories/biketracks.git
          ${pkgs.git}/bin/git clone ${config.modules.services.gitolite.dataDir}/repositories/biketracks.git $TMP_DIR/tracks

          mkdir $TMP_DIR/tiles

          ${pkgs.generateTilesFromGPX}/bin/generateTilesFromGPX $TMP_DIR/tracks $TMP_DIR/tiles

          rm -rf ~/*;

          ln -sf ${pkgs.gpx-map}/index.html ~/index.html
          ln -sf ${pkgs.gpx-map}/bundle.js  ~/bundle.js
          mv     $TMP_DIR/tiles             ~/tiles;
          echo "{\"lastUpdated\":\"$(date +"%Y-%m-%d %H:%M")\"}" > ~/lastUpdated.json
        '';

        serviceConfig = {
          Type = "oneshot";

          User = "bikemap";
          Group = config.modules.services.gitolite.group;

          WorkingDirectory = "~";
          StateDirectory = "bikemap";
          StateDirectoryMode = "755";

          NoNewPrivileges = true;
          PrivateTmp = true;
          PrivateDevices = true;

          RestrictAddressFamilies = "none";
          RestrictNamespaces = true;
          RestrictRealtime = true;

          ProtectSystem = "full";
          ProtectControlGroups = true;
          ProtectKernelModules = true;
          ProtectKernelTunables = true;

          DevicePolicy = "closed";
          LockPersonality = true;
        };
      };

      modules.services.gitolite.commonHooks.post-receive = ''
        #deploy bikemap
        [ "$GL_REPO" == "biketracks" ] && sudo ${deployScript}
      '';

      services.nginx = {
        enable = true;
        virtualHosts."${cfg.subdomain}.${cfg.domain}" = {
          useACMEHost = "${config.networking.fqdn}";
          forceSSL = true;
          kTLS = true;
          root = "/var/lib/bikemap/";
        };
      };
    }
  );

}