{
  config,
  pkgs,
  lib,
  ...
}:

{

  options.zpha.websites."flauschehorn.zaphyra.eu".enable = lib.mkEnableOption "";

  config = lib.mkIf config.zpha.websites."flauschehorn.zaphyra.eu".enable {
    dns.zones."zaphyra.eu".subdomains."flauschehorn".CNAME = [
      "${config.networking.fqdn}."
    ];

    # required because this subdomain is still set in the flauschehorn.sexy-zone
    dns.zones."ctu.cx".subdomains."63bc37c61bda3c1f4fa1f270f8890c7f89c24353.acme".CNAME = [
      "63bc37c61bda3c1f4fa1f270f8890c7f89c24353.acme.fc9f.de."
    ];

    common.configure.persist.system.dirs = [
      "/var/lib/private/flauschehorn"
    ];

    systemd.services.flauschehornFetcher = {
      environment.DB_PATH = "/var/lib/flauschehorn/db.sqlite";
      startAt = "*-*-* 3:00:00";
      wants = [ "network-online.target" ];
      after = [ "network-online.target" ];
      serviceConfig = {
        Type = "oneshot";

        ExecStart = "${pkgs.zpha.flauschehorn-sexy}/bin/mastofetch";

        DynamicUser = true;
        User = "flauschehorn";
        Group = "flauschehorn";

        StateDirectory = "flauschehorn";
        StateDirectoryMode = "755";
        UMask = "022";

        NoNewPrivileges = true;
        PrivateTmp = true;
        PrivateDevices = true;

        RestrictAddressFamilies = "AF_INET AF_INET6";
        RestrictNamespaces = true;
        RestrictRealtime = true;

        ProtectSystem = "full";
        ProtectControlGroups = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;

        DevicePolicy = "closed";
        LockPersonality = true;
      };
    };

    systemd.services.fcgiwrap-flauschehorn.serviceConfig = {
      DynamicUser = true;
      User = "flauschehorn";
      Group = "flauschehorn";

      StateDirectory = "flauschehorn";
      StateDirectoryMode = "555";
    };

    services.fcgiwrap.instances.flauschehorn = {
      socket.user = config.services.nginx.user;
      socket.group = config.services.nginx.group;
    };

    services.nginx = {
      enable = true;
      virtualHosts."flauschehorn.zaphyra.eu" = {
        serverAliases = [ "flauschehorn.sexy" ];
        useACMEHost = "${config.networking.fqdn}";
        forceSSL = true;
        kTLS = true;
        locations."/".extraConfig = ''
          include "${pkgs.nginx}/conf/fastcgi_params";
          fastcgi_param SCRIPT_FILENAME "${pkgs.zpha.flauschehorn-sexy}/bin/website";
          fastcgi_param DB_PATH         "${config.systemd.services.flauschehornFetcher.environment.DB_PATH}";
          fastcgi_param QUERY_STRING    $args;
          fastcgi_pass  unix:${config.services.fcgiwrap.instances.flauschehorn.socket.address};
        '';
      };
    };
  };

}