{
  config,
  lib,
  ...
}: let
  cfg = config.vhack.nix-sync;

  mkNixSyncRepository = {
    domain,
    root ? "",
    url,
    extraSettings ? {},
  }: {
    name = "${domain}";
    value = {
      path = "/etc/nginx/websites/${domain}/${root}";
      uri = "${url}";
      inherit extraSettings;
    };
  };
  nixSyncRepositories = builtins.listToAttrs (builtins.map mkNixSyncRepository domains);

  mkVirtHost = {
    domain,
    root ? "",
    url,
    extraSettings ? {},
  }: {
    name = "${domain}";
    value =
      lib.recursiveUpdate {
        forceSSL = true;
        enableACME = true;
        root = "/etc/nginx/websites/${domain}/${root}";
      }
      extraSettings;
  };
  virtHosts = builtins.listToAttrs (builtins.map mkVirtHost domains);

  domains = import ./hosts.nix {};
in {
  imports = [
    ./internal_module.nix
  ];

  options.vhack.nix-sync = {
    enable = lib.mkEnableOption ''
      a website git ops solution.
    '';
  };

  config = lib.mkIf cfg.enable {
    vhack.persist.directories = [
      {
        directory = "/var/lib/nix-sync";
        user = "nix-sync";
        group = "nix-sync";
        mode = "0700";
      }
    ];

    services.nix-sync = {
      enable = true;
      repositories = nixSyncRepositories;
    };

    vhack.nginx.enable = true;
    services.nginx.virtualHosts = virtHosts;
  };
}