{
  machineConfig,
  config,
  lib,
  ...
}:

let
  subdomains = [
    "accounts"
    "api"
    "albums"
    "cast"
    "photos"
  ];

in
{

  options.zpha.websites."ente.zaphyra.eu".enable = lib.mkEnableOption "";

  config = lib.mkIf config.zpha.websites."ente.zaphyra.eu".enable {
    dns.zones = {
      "zaphyra.eu".subdomains =
        (lib.genAttrs' subdomains (
          name:
          lib.nameValuePair "${name}.ente" {
            CNAME = [ "ente.zaphyra.eu." ];
          }
        ))
        // {
          "ente".AAAA = [ machineConfig.networking.ip6Address ];
        };
      "fc9f.de".subdomains."s3.${config.networking.hostName}".CNAME = [
        "${config.networking.fqdn}."
      ];
    };

    sops.secrets = {
      "environments/ente" = {
        owner = "ente";
        group = "ente";
      };
      "environments/minio" = {
        owner = "minio";
        group = "minio";
      };
    };

    common.configure.persist.system.dirs = [
      {
        user = "minio";
        group = "minio";
        directory = "/var/lib/minio";
        mode = "0700";
      }
      {
        user = "postgres";
        group = "postgres";
        directory = "/var/lib/postgresql";
        mode = "0700";
      }
      {
        inherit (config.services.ente.api) user group;
        directory = "/var/lib/ente";
        mode = "0700";
      }
    ];

    systemd.services.ente.serviceConfig.EnvironmentFile = config.sops.secrets."environments/ente".path;

    services = {
      postgresql.enable = true;

      minio = {
        enable = true;
        rootCredentialsFile = config.sops.secrets."environments/minio".path;
        browser = false;
        listenAddress = "[::1]:9000";
      };

      ente = {
        web = {
          enable = true;
          domains = lib.genAttrs subdomains (name: "${name}.ente.zaphyra.eu");
        };
        api = {
          enable = true;
          enableLocalDB = true;
          nginx.enable = true;
          domain = "api.ente.zaphyra.eu";
          settings = {
            internal.admin = 1580559962386438;
            s3.b2-eu-cen = {
              use_path_style_urls = true;
              are_local_buckets = true;
              endpoint = "https://s3.${config.networking.fqdn}/";
              region = "us-east-1";
              bucket = "ente";
            };
          };
        };
      };

      nginx.virtualHosts =
        (lib.genAttrs' (lib.filter (name: name != "albums") subdomains) (
          name:
          lib.nameValuePair "${name}.ente.zaphyra.eu" {
            serverAliases = lib.mkIf (name == "photos") [
              "albums.ente.zaphyra.eu"
            ];
            useACMEHost = config.networking.fqdn;
            forceSSL = true;
            kTLS = true;
          }
        ))
        // {
          "s3.${config.networking.fqdn}" = {
            useACMEHost = config.networking.fqdn;
            forceSSL = true;
            kTLS = true;
            locations."/" = {
              proxyPass = "http://[::1]:9000";
              extraConfig = ''
                client_max_body_size 100m;
              '';
            };
          };
        };
    };
  };

}