{
  config,
  lib,
  modulesPath,
  nixLib,
  ...
}: let
  cfg = config.vhack.nix-sync;

  mkNixSyncRepository = {
    domain,
    repositoryUrl,
    extraSettings,
  }: {
    name = "${domain}";
    value = {
      path = "/etc/nginx/websites/${domain}";
      uri = "${repositoryUrl}";
      inherit extraSettings;
    };
  };
  nixSyncRepositories = builtins.listToAttrs (builtins.map mkNixSyncRepository cfg.domains);

  mkVirtHost = {
    domain,
    repositoryUrl,
    extraSettings,
  }: {
    name = "${domain}";
    value =
      # FIXME(@bpeetz): We cannot use something like `lib.recursiveUpdate` because the
      # `extraSettings` are instantiated from the “real” nginx type. As such the
      # `extaSettings` would override our values here. Therefore, the direct merge. <2025-02-07>
      extraSettings
      // {
        forceSSL = true;
        enableACME = true;
        root = "/etc/nginx/websites/${domain}";
      };
  };
  virtHosts = builtins.listToAttrs (builtins.map mkVirtHost cfg.domains);
in {
  imports = [
    ./internal_module.nix
  ];

  options.vhack.nix-sync = {
    enable = lib.mkEnableOption ''
      a website git ops solution.
    '';

    domains = lib.mkOption {
      type = lib.types.listOf (lib.types.submodule {
        options = {
          domain = lib.mkOption {
            type = lib.types.str;
            example = "b-peetz.de";
            description = ''
              The fully qualified domain to use as base of this website.
            '';
          };
          repositoryUrl = lib.mkOption {
            type = lib.types.str;
            example = "b-peetz.de";
            description = ''
              The url used for the source git repository, which is deployed at this domain.
            '';
          };
          extraSettings = lib.mkOption {
            type =
              lib.types.submodule (import (modulesPath + "/services/web-servers/nginx/vhost-options.nix") {inherit config lib;});
            example = {
              locations."/.well-known/openpgpkey/".extraConfig = "default_type application/octet-stream";
            };
            default = {};
            description = ''
              Extra configuration to add to the nginx virtual host.
            '';
          };
        };
      });
    };
  };

  config = lib.mkIf cfg.enable {
    vhack.persist.directories = [
      {
        directory = "/var/lib/nix-sync";
        user = "nix-sync";
        group = "nix-sync";
        mode = "0700";
      }
    ];

    services.nix-sync = {
      enable = true;
      repositories = nixSyncRepositories;
    };

    vhack.nginx.enable = true;
    services.nginx.virtualHosts = virtHosts;

    users = {
      users.nix-sync.uid = config.vhack.constants.ids.uids.nix-sync;
      groups.nix-sync.gid = config.vhack.constants.ids.gids.nix-sync;
    };
  };
}