{
  povSelf,
  hostConfig,
  config,
  pkgs,
  lib,
  dnsNix,
  ...
}:

let
  inherit (lib) types;
  cfg = lib.getAttrFromPath povSelf config;

in
{

  options = {
    enable = {
      type = types.bool;
      default = false;
    };
    subdomain = {
      type = types.str;
      default = "photos";
    };
    domain = {
      type = types.str;
      default = "zaphyra.eu";
    };
  };

  config = lib.mkIf cfg.enable (
    let
      galleryConfig = {
        globalSection = {
          SourceDir = "/mnt/photos.zaphyra.eu";
          TargetDir = "/var/lib/gallery";
          MogrifyCmd = "${pkgs.imagemagick}/bin/mogrify";
        };

        sections = {
          Thumbnails = {
            SmallHeight = "200";
            SmallQuality = "90";
          };

          Site = {
            Author = "zaphyra";
            Name = "zaphyra.photos";
            Description = "photos that i made";
            Tags = "zaphyra, zaphyra bahnbilder";
            ShowOriginalsButton = "true";
            SymlinkOriginals = "true";
            EnableJS = "true";
          };
        };
      };

      galleryConfigFile = pkgs.writeText "gallery.ini" (
        lib.generators.toINIWithGlobalSection { } galleryConfig
      );

    in
    {
      dns.zones."${cfg.domain}".subdomains."${cfg.subdomain}".CNAME = [ "${config.networking.fqdn}." ];

      modules.filesystem.impermanence.system.dirs = [ "/var/lib/private/gallery" ];

      fileSystems."/mnt/photos.zaphyra.eu" = {
        device = "/home/zaphyra/Pictures/photos.zaphyra.eu";
        fsType = "fuse.bindfs";
        options = [
          "ro"
          "perms=0000:a+rX"
        ];
      };
      fileSystems."/mnt/photos.zaphyra.eu-webdir" = {
        device = "/var/lib/private/gallery";
        fsType = "fuse.bindfs";
        options = [
          "ro"
          "perms=0000:a+rX"
        ];
      };

      systemd.services.gallery = {
        #startAt = "*-*-* *:0/10:00";
        wantedBy = [ "multi-user.target" ];
        requires = [ "local-fs.target" ];
        path = [ pkgs.imagemagick ];

        serviceConfig = {
          Type = "oneshot";
          DynamicUser = true;

          ExecStart = "${pkgs.gallery}/bin/gallery ${galleryConfigFile}";

          User = "gallery";
          Group = "gallery";

          StateDirectory = "gallery";
          StateDirectoryMode = "755";

          NoNewPrivileges = true;
          PrivateTmp = true;
          PrivateDevices = true;

          RestrictNamespaces = true;
          RestrictRealtime = true;

          ProtectSystem = "full";
          ProtectControlGroups = true;
          ProtectKernelModules = true;
          ProtectKernelTunables = true;

          DevicePolicy = "closed";
          LockPersonality = true;
        };
      };

      systemd.services.nginx.serviceConfig.BindReadOnlyPaths = [ ];

      services.nginx = {
        enable = true;
        virtualHosts."${cfg.subdomain}.${cfg.domain}" = {
          useACMEHost = "${config.networking.fqdn}";
          forceSSL = true;
          kTLS = true;
          root = "/mnt/photos.zaphyra.eu-webdir";
          locations."~* \.html$".extraConfig = ''
            add_header Last-Modified $date_gmt;
            add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
            if_modified_since off;
            expires off;
            etag off;
          '';
        };
      };
    }
  );

}