{
  config,
  lib,
  pkgs,
  ...
}:

{

  options.zpha.websites."gomuks.zaphyra.eu".enable = lib.mkEnableOption "";

  config = lib.mkIf config.zpha.websites."gomuks.zaphyra.eu".enable {
    dns.zones."zaphyra.eu".subdomains."gomuks".CNAME = [ "${config.networking.fqdn}." ];

    common.configure.persist.system.dirs = [ "/var/lib/private/gomuks-zaphyra" ];

    sops.secrets."gomuks/username" = { };
    sops.secrets."gomuks/password" = { };

    systemd.services.gomuks-zaphyra.serviceConfig.LoadCredential = [
      "WEB_USERNAME:${config.sops.secrets."gomuks/username".path}"
      "WEB_PASSWORD:${config.sops.secrets."gomuks/password".path}"
    ];

    services = {
      gomuks.zaphyra = {
        package = pkgs.unstable.gomuks-web;
        settings = {
          web.listen_address = "[::1]:29325";
          web.username = "\${WEB_USERNAME}";
          web.password_hash = "\${WEB_PASSWORD}";
        };
      };
      nginx.virtualHosts."gomuks.zaphyra.eu" = {
        useACMEHost = config.networking.fqdn;
        forceSSL = true;
        kTLS = true;
        locations."/" = {
          proxyPass = "http://${config.services.gomuks.zaphyra.settings.web.listen_address}";
          proxyWebsockets = true;
        };
      };
    };
  };

}