{
  config,
  lib,
  pkgs,
  ...
}:

{

  options.zpha.websites."notes.zaphyra.eu".enable = lib.mkEnableOption "";

  config = lib.mkIf config.zpha.websites."notes.zaphyra.eu".enable {
    dns.zones."zaphyra.eu".subdomains."notes".CNAME = [ "${config.networking.fqdn}." ];

    sops.secrets = {
      "restic/memos/repositoryPassword" = { };
      "restic/memos/sshPrivateKey" = { };
    };

    common = {
      configure.persist.system.dirs = lib.singleton {
        directory = "/var/lib/memos";
        mode = "700";
        inherit (config.services.memos) user group;
      };

      services.resticBackup.memos = {
        inherit (config.services.memos) user;
        enable = true;
        targets = [
          "restic-target.fc9f.de"
          "isodon.fc9f.de"
        ];
        sshKeyFile = config.sops.secrets."restic/memos/sshPrivateKey".path;
        passwordFile = config.sops.secrets."restic/memos/repositoryPassword".path;
        sqliteDatabases = [ "${config.services.memos.dataDir}/memos_prod.db" ];
        paths = [ "${config.services.memos.dataDir}/uploads" ];
      };
    };

    services = {
      memos = {
        enable = true;
        package = pkgs.zpha.memos;
        settings = {
          MEMOS_MODE = "prod";
          MEMOS_DATA = config.services.memos.dataDir;
          MEMOS_DRIVER = "sqlite";
          MEMOS_ADDR = "[::1]";
          MEMOS_PORT = "5230";
          MEMOS_INSTANCE_URL = "https://notes.zaphyra.eu";
        };
      };
      nginx.virtualHosts."notes.zaphyra.eu" = {
        useACMEHost = config.networking.fqdn;
        forceSSL = true;
        kTLS = true;
        locations."/" = {
          proxyPass = "http://${toString config.services.memos.settings.MEMOS_ADDR}:${toString config.services.memos.settings.MEMOS_PORT}";
          proxyWebsockets = true;
        };
      };
    };
  };

}