{
  config,
  lib,
  pkgs,
  ...
}:

{

  options.zpha.websites."bikemap.zaphyra.eu".enable = lib.mkEnableOption "";

  config = lib.mkIf config.zpha.websites."bikemap.zaphyra.eu".enable (
    let
      deployScript = pkgs.writeShellScript "deployBikemap" ''
        systemctl start deployBikemap;
        systemctl status deployBikemap;
      '';

    in
    {
      assertions = lib.singleton {
        assertion = config.common.services.gitolite.enable;
        message = "The option 'common.services.gitolite.enable' must be enabled in order to use this module.";
      };

      dns.zones."zaphyra.eu".subdomains."bikemap".CNAME = lib.singleton "${config.networking.fqdn}.";

      common.configure.persist.system.dirs = lib.singleton {
        directory = "/var/lib/bikemap";
        mode = "0755";
        user = "bikemap";
        inherit (config.common.services.gitolite) group;
      };

      users.users."bikemap" = {
        isSystemUser = true;
        inherit (config.common.services.gitolite) group;
        createHome = true;
        homeMode = "755";
        home = "/var/lib/bikemap";
      };

      security.sudo.extraRules = [
        {
          users = [ "git" ];
          commands = [
            {
              command = "${deployScript}";
              options = [
                "SETENV"
                "NOPASSWD"
              ];
            }
          ];
        }
      ];

      systemd.services.deployBikemap = {
        script = ''
          # strict mode
          set -euo pipefail
          IFS=$'\n\t'

          TMP_DIR=$(mktemp -d)
          trap "{ rm -rf "$TMP_DIR"; }" SIGINT SIGTERM ERR EXIT

          ${pkgs.git}/bin/git config --global --add safe.directory ${config.common.services.gitolite.dataDir}/repositories/biketracks.git
          ${pkgs.git}/bin/git clone ${config.common.services.gitolite.dataDir}/repositories/biketracks.git $TMP_DIR/tracks

          mkdir $TMP_DIR/tiles

          ${pkgs.zpha.generateTilesFromGPX}/bin/generateTilesFromGPX $TMP_DIR/tracks $TMP_DIR/tiles

          rm -rf ~/*;

          ln -sf ${pkgs.zpha.gpx-map}/index.html ~/index.html
          ln -sf ${pkgs.zpha.gpx-map}/bundle.js  ~/bundle.js
          mv     $TMP_DIR/tiles             ~/tiles;
          echo "{\"lastUpdated\":\"$(date +"%Y-%m-%d %H:%M")\"}" > ~/lastUpdated.json
        '';

        serviceConfig = {
          Type = "oneshot";

          User = "bikemap";
          Group = config.common.services.gitolite.group;

          WorkingDirectory = "~";
          StateDirectory = "bikemap";
          StateDirectoryMode = "755";

          NoNewPrivileges = true;
          PrivateTmp = true;
          PrivateDevices = true;

          RestrictAddressFamilies = "none";
          RestrictNamespaces = true;
          RestrictRealtime = true;

          ProtectSystem = "full";
          ProtectControlGroups = true;
          ProtectKernelModules = true;
          ProtectKernelTunables = true;

          DevicePolicy = "closed";
          LockPersonality = true;
        };
      };

      common.services.gitolite.commonHooks.post-receive = ''
        #deploy bikemap
        [ "$GL_REPO" == "biketracks" ] && sudo ${deployScript}
      '';

      services.nginx.virtualHosts."bikemap.zaphyra.eu" = {
        useACMEHost = "${config.networking.fqdn}";
        forceSSL = true;
        kTLS = true;
        root = "/var/lib/bikemap/";
      };
    }
  );

}