{
  config,
  lib,
  vhackPackages,
  ...
}: let
  cfg = config.vhack.atuin-sync;
in {
  options.vhack.atuin-sync = {
    enable = lib.mkEnableOption "atuin sync server";

    fqdn = lib.mkOption {
      description = "The fully qualified domain name of this instance.";
      type = lib.types.str;
      example = "atuin-sync.atuin.sh";
    };
  };

  config = lib.mkIf cfg.enable {
    vhack.nginx.enable = true;

    services = {
      nginx.virtualHosts."${cfg.fqdn}" = {
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString config.services.atuin.port}";
          recommendedProxySettings = true;
        };

        enableACME = true;
        forceSSL = true;
      };

      atuin = {
        enable = true;
        package = vhackPackages.atuin-server-only;
        host = "127.0.0.1";

        # Nobody knows about the fqdn and even if, they can only upload encrypted blobs.
        openRegistration = true;

        database.createLocally = true;
      };
    };
  };
}