{
  config,
  lib,
  vhackPackages,
  pkgs,
  ...
}: let
  cfg = config.vhack.back;
in {
  options.vhack.back = {
    enable = lib.mkEnableOption "Back issue tracker (inspired by tvix's panettone)";

    domain = lib.mkOption {
      type = lib.types.str;
      description = "The domain to host this `back` instance on.";
    };

    settings = {
      scan_path = lib.mkOption {
        type = lib.types.path;
        description = "The path to the directory under which all the repositories reside";
      };
      project_list = lib.mkOption {
        type = lib.types.path;
        description = "The path to the `projects.list` file.";
      };

      source_code_repository_url = lib.mkOption {
        description = "The url to the source code of this instance of back";
        default = "https://git.foss-syndicate.org/vhack.eu/nixos-server/tree/pkgs/by-name/ba/back";
        type = lib.types.str;
      };

      root_url = lib.mkOption {
        type = lib.types.str;
        description = "The url to this instance of back.";
        default = "https://${cfg.domain}";
      };
    };
  };

  config = lib.mkIf cfg.enable {
    systemd.services."back" = {
      description = "Back issue tracking system.";
      requires = ["network-online.target"];
      after = ["network-online.target"];
      wantedBy = ["default.target"];

      serviceConfig = {
        ExecStart = "${lib.getExe vhackPackages.back} ${(pkgs.formats.json {}).generate "config.json" cfg.settings}";

        # Ensure that the service can read the repository
        # FIXME(@bpeetz): This has the implied assumption, that all the exposed git
        # repositories are readable for the git group. This should not be necessary. <2024-12-23>
        User = "git";
        Group = "git";

        DynamicUser = true;
        Restart = "always";

        # Sandboxing
        ProtectSystem = "strict";
        ProtectHome = true;
        PrivateTmp = true;
        PrivateDevices = true;
        ProtectHostname = true;
        ProtectClock = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectKernelLogs = true;
        ProtectControlGroups = true;
        RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
        RestrictNamespaces = true;
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        RemoveIPC = true;
        PrivateMounts = true;
        # System Call Filtering
        SystemCallArchitectures = "native";
        SystemCallFilter = ["~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"];
      };
    };
    services.nginx.virtualHosts."${cfg.domain}" = {
      locations."/".proxyPass = "http://127.0.0.1:8000";

      enableACME = true;
      forceSSL = true;
    };
  };
}