{
  config,
  lib,
  pkgs,
  pkgsUnstable,
  nixpkgs-unstable,
  ...
}: let
  cfg = config.vhack.sharkey;
in {
  imports = [
    # TODO(@bpeetz): Remove this import once we update to NixOS 25.11 <2025-07-12>
    "${nixpkgs-unstable}/nixos/modules/services/web-apps/sharkey.nix"
  ];

  options.vhack.sharkey = {
    enable = lib.mkEnableOption "sharkey";

    fqdn = lib.mkOption {
      description = "The fully qualified domain name of this instance.";
      type = lib.types.str;
      example = "sharkey.shonk.social";
    };

    package = lib.mkOption {
      type = lib.types.package;
      default = pkgsUnstable.sharkey;
      defaultText = lib.literalExpression "vhackPackages.sharkey";
      description = "Sharkey package to use.";
    };

    mediaDirectory = lib.mkOption {
      type = lib.types.path;
      default = "/var/lib/sharkey";
      description = "The directory where sharkey stores it's data.";
    };

    settings = lib.mkOption {
      inherit (pkgs.formats.yaml {}) type;
      default = {};
      description = ''
        Extra Configuration for Sharkey, see
        <link xlink:href="https://activitypub.software/TransFem-org/Sharkey/-/blob/develop/.config/example.yml"/>
        for supported settings.

        Note, that this is applied on-top of the neccessary config.
      '';
    };
  };

  config = lib.mkIf cfg.enable {
    services = {
      sharkey = {
        enable = true;

        inherit (cfg) package;
        openFirewall = false;
        setupRedis = true;
        setupPostgresql = true;

        settings =
          cfg.settings
          // {
            url = "https://${cfg.fqdn}/";
            port = 5312;

            inherit (cfg) mediaDirectory;
            fulltextSearch.provider = "sqlLike";
          };
      };

      nginx.virtualHosts."${cfg.fqdn}" = {
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString config.services.sharkey.settings.port}";
          proxyWebsockets = true;
        };

        enableACME = true;
        forceSSL = true;
      };
    };

    systemd.services.sharkey = {
      # TODO(@bpeetz): `postgresql.target` is only available in NixOS 25.11, as such we
      # need to override this back to the postgresql.service. <2025-07-12>
      after = lib.mkForce [
        "postgresql.service"
        "redis-sharkey.service"
      ];
      bindsTo = lib.mkForce [
        "postgresql.service"
        "redis-sharkey.service"
      ];

      serviceConfig = {
        # The upstream service uses DynamicUsers, which currently poses issues to our
        # directory persisting strategy.
        User = "sharkey";
        Group = "sharkey";
        DynamicUser = lib.mkForce false;
      };
    };

    vhack = {
      nginx.enable = true;

      persist.directories = [
        {
          directory = "${config.services.redis.servers."sharkey".settings.dir}";
          user = "sharkey";
          group = "redis-sharey";
          mode = "0770";
        }
        {
          directory = "${cfg.mediaDirectory}";
          user = "sharkey";
          group = "sharkey";
          mode = "0700";
        }
      ];
    };

    users = {
      groups.sharkey = {
        gid = config.vhack.constants.ids.gids.sharkey;
      };
      users.sharkey = {
        isSystemUser = true;
        group = "sharkey";
        uid = config.vhack.constants.ids.uids.sharkey;
        home = cfg.package;
        packages = [cfg.package];
      };

      groups.redis-sharkey = {
        gid = config.vhack.constants.ids.gids.redis-sharkey;
      };
      users.redis-sharkey = {
        group = "redis-sharkey";
        uid = config.vhack.constants.ids.uids.redis-sharkey;
      };
    };
  };
}