{
  config,
  lib,
  pkgs,
  nixpkgs,
  ...
}:

let
  environment = {
    ACME_ACCEPT_TERMS = "true";
    ACME_EMAIL = "acme@dgnum.eu";
    DNS_PROVIDER = "ovh";
    OVH_ENDPOINT = "ovh-eu";
    ENABLE_HTTP_SERVER = "false";
    GITEA_ROOT = "https://git.dgnum.eu";
    PORT = "8010";
    PAGES_DOMAIN = "dgnum.page";
    RAW_DOMAIN = "raw.dgnum.page";
    PAGES_BRANCHES = "pages,main,master";
  };

  # Necessary until upstream cuts a new release because of 
  # https://codeberg.org/Codeberg/pages-server/issues/235
  # that is fixed on main
  package = nixpkgs.unstable.codeberg-pages.overrideAttrs (_: {
    src = pkgs.fetchFromGitea {
      domain = "codeberg.org";
      owner = "Codeberg";
      repo = "pages-server";
      rev = "9524b1eb12f77fa345cc8a220f67ae244da0ab12";
      hash = "sha256-RZjwy0Vdqu2XdF14hwXvQ7Bj11+1Q2VxDm1GTU1brA8=";
    };
    vendorHash = "sha256-xfn3uMeea25dG7On28mU38i5Izo9YVKDXNFT7WipiYI=";
  });
in

{
  options.services.nginx.virtualHosts = lib.mkOption {
    type = lib.types.attrsOf (
      lib.types.submodule {
        config.extraConfig = ''
          real_ip_header proxy_protocol;
          set_real_ip_from 127.0.0.1;
        '';
      }
    );
  };

  config = {
    systemd.services.codeberg-pages = {
      inherit environment;
      description = "Codeberg pages server";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        Type = "simple";
        StateDirectory = "codeberg-pages";
        EnvironmentFile = config.age.secrets."pages-environment_file".path;
        WorkingDirectory = "/var/lib/codeberg-pages";
        DynamicUser = true;
        ExecStart = lib.getExe package;
        Restart = "on-failure";
        ProtectHome = true;
        ProtectSystem = "strict";
        PrivateTmp = true;
        PrivateDevices = true;
        ProtectHostname = true;
        ProtectClock = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectKernelLogs = true;
        ProtectControlGroups = true;
        NoNewPrivileges = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        RemoveIPC = true;
        PrivateMounts = true;
      };
    };

    services.nginx = {
      defaultListen = [
        {
          addr = "127.0.0.1";
          port = 8446;
          ssl = true;
          proxyProtocol = true;
        }
        {
          addr = "0.0.0.0";
          ssl = false;
        }
      ];

      streamConfig = ''
        map $ssl_preread_server_name $sni_upstream {
          default 127.0.0.1:8010;
          ${
            lib.concatMapStringsSep "\n  " (vhost: "${vhost} 127.0.0.1:8446;") (
              lib.attrNames config.services.nginx.virtualHosts
            )
          }
        }

        server {
          listen 443;
          ssl_preread on;
          proxy_pass $sni_upstream;
          proxy_protocol on;
        }
      '';
    };
  };
}