{
  povSelf,
  hostConfig,
  config,
  pkgs,
  lib,
  ...
}:

let
  inherit (lib) types;
  cfg = lib.getAttrFromPath povSelf config;

in
{

  options = {
    enable = {
      type = types.bool;
      default = false;
    };
    domain = {
      type = types.str;
      default = "zaphyra.eu";
    };
    subdomain = {
      type = types.str;
      default = "flauschehorn";
    };
  };

  config = lib.mkIf cfg.enable {
    dns.zones."${cfg.domain}".subdomains."${cfg.subdomain}".CNAME = [ "${config.networking.fqdn}." ];
    # required because this subdomain is still set in the flauschehorn.sexy-zone
    dns.zones."ctu.cx".subdomains."63bc37c61bda3c1f4fa1f270f8890c7f89c24353.acme".CNAME = [
      "63bc37c61bda3c1f4fa1f270f8890c7f89c24353.acme.infra.zaphyra.eu."
    ];

    modules.filesystem.impermanence.system.dirs = [ "/var/lib/private/flauschehorn" ];

    systemd.services.flauschehornFetcher = {
      environment.DB_PATH = "/var/lib/flauschehorn/db.sqlite";
      startAt = "*-*-* 3:00:00";
      wants = [ "network-online.target" ];
      after = [ "network-online.target" ];
      serviceConfig = {
        Type = "oneshot";

        ExecStart = "${pkgs.flauschehorn-sexy}/bin/mastofetch";

        DynamicUser = true;
        User = "flauschehorn";
        Group = "flauschehorn";

        StateDirectory = "flauschehorn";
        StateDirectoryMode = "755";
        UMask = "022";

        NoNewPrivileges = true;
        PrivateTmp = true;
        PrivateDevices = true;

        RestrictAddressFamilies = "AF_INET AF_INET6";
        RestrictNamespaces = true;
        RestrictRealtime = true;

        ProtectSystem = "full";
        ProtectControlGroups = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;

        DevicePolicy = "closed";
        LockPersonality = true;
      };
    };

    systemd.services.fcgiwrap-flauschehorn.serviceConfig = {
      DynamicUser = true;
      User = "flauschehorn";
      Group = "flauschehorn";

      StateDirectory = "flauschehorn";
      StateDirectoryMode = "555";
    };

    services.fcgiwrap.instances.flauschehorn = {
      socket.user = config.services.nginx.user;
      socket.group = config.services.nginx.group;
    };

    services.nginx = {
      enable = true;
      virtualHosts."${cfg.subdomain}.${cfg.domain}" = {
        serverAliases = [ "flauschehorn.sexy" ];
        useACMEHost = "${config.networking.fqdn}";
        forceSSL = true;
        kTLS = true;
        locations."/".extraConfig = ''
          include "${pkgs.nginx}/conf/fastcgi_params";
          fastcgi_param SCRIPT_FILENAME "${pkgs.flauschehorn-sexy}/bin/website";
          fastcgi_param DB_PATH         "${config.systemd.services.flauschehornFetcher.environment.DB_PATH}";
          fastcgi_param QUERY_STRING    $args;
          fastcgi_pass  unix:${config.services.fcgiwrap.instances.flauschehorn.socket.address};
        '';
      };
    };
  };

}