{
  config,
  lib,
  ...
}: let
  cfg = config.vhack.taskchampion-sync;
  dataDirectory = "/var/lib/taskchampion-sync-server";
in {
  options.vhack.taskchampion-sync = {
    enable = lib.mkEnableOption "taskchampion-sync";

    fqdn = lib.mkOption {
      description = "The fully qualified domain name of this instance.";
      type = lib.types.str;
      example = "task-sync.tw.online";
    };
  };

  config = lib.mkIf cfg.enable {
    users = {
      users.taskchampion = {
        uid = config.vhack.constants.ids.uids.taskchampion;
        group = "taskchampion";
      };
      groups.taskchampion.gid = config.vhack.constants.ids.uids.taskchampion;
    };

    vhack = {
      persist.directories = [
        {
          directory = dataDirectory;
          user = "taskchampion";
          group = "taskchampion";
          mode = "0700";
        }
      ];
      nginx.enable = true;
    };

    systemd.services.taskchampion-sync-server = {
      serviceConfig = {
        # The upstream service uses DynamicUsers, which currently poses issues to our
        # directory persisting strategy.
        User = "taskchampion";
        Group = "taskchampion";
        DynamicUser = lib.mkForce false;
      };
    };

    services = {
      taskchampion-sync-server = {
        enable = true;
        dataDir = dataDirectory;
      };

      nginx.virtualHosts."${cfg.fqdn}" = {
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString config.services.taskchampion-sync-server.port}";
          recommendedProxySettings = true;
        };
        enableACME = true;
        forceSSL = true;
      };
    };
  };
}