{
  povSelf,
  hostConfig,
  config,
  pkgs,
  lib,
  dnsNix,
  ...
}:

let
  inherit (lib) types;
  cfg = lib.getAttrFromPath povSelf config;

in
{

  options = {
    enable = {
      type = types.bool;
      default = false;
    };
    domain = {
      type = types.str;
      default = "zaphyra.dn42";
    };
  };

  config = lib.mkIf cfg.enable {
    dns.zones."${cfg.domain}".AAAA = [ "fd6b:6174:6a61::2" ];

    security.acme.certs."zaphyra.dn42" = {
      server = "https://acme.burble.dn42/v1/dn42/acme/directory";
      validMinDays = 20;
      keyType = "ec384";
      dnsProvider = null;
    };

    services.nginx = {
      enable = true;
      virtualHosts."${cfg.domain}" = {
        enableACME = true;
        forceSSL = true;
        kTLS = true;
        root = pkgs.zaphyra-website;
        extraConfig = ''
          location /.well-known/openpgpkey {
              add_header Access-Control-Allow-Origin * always;
          }
        '';
      };
    };
  };

}