{
  inputs,
  povSelf,
  hostConfig,
  config,
  pkgs,
  lib,
  dnsNix,
  ...
}:

let
  inherit (lib) types;
  cfg = lib.getAttrFromPath povSelf config;
  subdomains = [
    "accounts"
    "api"
    "albums"
    "cast"
    "photos"
  ];

in
{

  options = {
    enable = {
      type = types.bool;
      default = false;
    };
    subdomain = {
      type = types.str;
      default = "ente";
    };
    domain = {
      type = types.str;
      default = "zaphyra.eu";
    };
  };

  config = lib.mkIf cfg.enable {
    dns.zones."${cfg.domain}".subdomains =
      (lib.genAttrs' subdomains (
        name:
        lib.nameValuePair "${name}.${cfg.subdomain}" {
          CNAME = [ "${cfg.subdomain}.${cfg.domain}." ];
        }
      ))
      // {
        "${cfg.subdomain}".AAAA = [ hostConfig.networking.ip6Address ];
        "s3.${config.networking.hostName}.infra".CNAME = [ "${config.networking.fqdn}." ];
      };

    sops.secrets = {
      "environments/ente" = {
        owner = "ente";
        group = "ente";
      };
      "environments/minio" = {
        owner = "minio";
        group = "minio";
      };
    };

    systemd.services.ente.serviceConfig.EnvironmentFile = config.sops.secrets."environments/ente".path;

    services.minio = {
      enable = true;
      rootCredentialsFile = config.sops.secrets."environments/minio".path;
      browser = false;
      listenAddress = "[::1]:9000";
    };

    services.ente = {
      web = {
        enable = true;
        domains = lib.genAttrs subdomains (
          name:
          lib.concatStringsSep "." [
            name
            cfg.subdomain
            cfg.domain
          ]
        );
      };
      api = {
        enable = true;
        enableLocalDB = true;
        nginx.enable = true;
        domain = "api.${cfg.subdomain}.${cfg.domain}";
        settings = {
          internal.admin = 1580559962386438;
          s3.b2-eu-cen = {
            use_path_style_urls = true;
            are_local_buckets = true;
            endpoint = "https://s3.${config.networking.fqdn}/";
            region = "us-east-1";
            bucket = "ente";
          };
        };
      };
    };

    services.nginx = {
      enable = true;
      virtualHosts =
        (lib.genAttrs' (lib.filter (name: name != "albums") subdomains) (
          name:
          lib.nameValuePair "${name}.${cfg.subdomain}.${cfg.domain}" {
            serverAliases = lib.mkIf (name == "photos") [ "albums.${cfg.subdomain}.${cfg.domain}" ];
            useACMEHost = config.networking.fqdn;
            forceSSL = true;
            kTLS = true;
          }
        ))
        // {
          "s3.${config.networking.fqdn}" = {
            useACMEHost = config.networking.fqdn;
            forceSSL = true;
            kTLS = true;
            locations."/" = {
              proxyPass = "http://[::1]:9000";
              extraConfig = ''
                client_max_body_size 100m;
              '';
            };
          };
        };
    };
  };

}