{
  povSelf,
  hostConfig,
  config,
  lib,
  dnsNix,
  ...
}:

let
  inherit (lib) types;
  cfg = lib.getAttrFromPath povSelf config;

in
{

  options = {
    enable = {
      type = types.bool;
      default = false;
    };
    domain = {
      type = types.str;
      default = "zaphyra.eu";
    };
    subdomain = {
      type = types.str;
      default = "restic.${config.networking.hostName}.infra";
    };
  };

  config = lib.mkIf cfg.enable {
    dns.zones."${cfg.domain}".subdomains."${cfg.subdomain}".CNAME = [ "${config.networking.fqdn}." ];

    sops.secrets = {
      rcloneConfig = { };
      resticServerHtpasswd = {
        owner = "nginx";
      };
    };

    modules.services.rcloneResticServer = {
      enable = true;
      configFile = config.sops.secrets.rcloneConfig.path;
      nginx = {
        enable = true;
        domain = "${cfg.subdomain}.${cfg.domain}";
        basicAuthFile = config.sops.secrets.resticServerHtpasswd.path;
      };
    };

    services.nginx = {
      enable = true;
      virtualHosts."${cfg.subdomain}.${cfg.domain}" = {
        useACMEHost = "${config.networking.fqdn}";
        forceSSL = true;
        kTLS = true;
      };
    };
  };

}