{
  npins,
  config,
  lib,
  pkgs,
  ...
}:

{

  options.zpha.websites."things.zaphyra.eu".enable = lib.mkEnableOption "";

  imports =
    (lib.mkIf config.zpha.websites."things.zaphyra.eu".enable [
      "${npins.things}/nixosModule.nix"
    ]).content;

  config = lib.mkIf config.zpha.websites."things.zaphyra.eu".enable {
    dns.zones."zaphyra.eu".subdomains."things".CNAME = [
      "${config.networking.fqdn}."
    ];

    users = {
      users.things.uid = 512;
      groups.things.gid = 512;
    };

    sops.secrets = {
      "restic/things/repositoryPassword" = { };
      "restic/things/sshPrivateKey" = { };
    };

    common = {
      configure.persist.system.dirs = [
        {
          directory = config.services.things.storagePath;
          mode = "0700";
          user = "things";
          group = "things";
        }
      ];

      services.resticBackup.things = {
        inherit (config.services.things) user;
        enable = true;
        targets = [
          "restic-target.fc9f.de"
          "isodon.fc9f.de"
        ];
        sshKeyFile = config.sops.secrets."restic/things/sshPrivateKey".path;
        passwordFile = config.sops.secrets."restic/things/repositoryPassword".path;
        paths = [ config.services.things.storagePath ];
      };
    };

    services = {
      things = {
        enable = true;
        package = pkgs.zpha.things;
        storagePath = "/var/lib/things";
        nginx.enable = true;
        nginx.domain = "things.zaphyra.eu";
      };

      nginx.virtualHosts."things.zaphyra.eu" = {
        useACMEHost = "${config.networking.fqdn}";
        forceSSL = true;
        kTLS = true;
      };
    };
  };

}