{
  config,
  lib,
  ...
}: let
  cfg = config.vhack.etesync;
in {
  options.vhack.etesync = {
    enable = lib.mkEnableOption ''
      a secure, end-to-end encrypted, and privacy respecting sync for your contacts, calendars, tasks and notes.
    '';
  };

  config = lib.mkIf cfg.enable {
    services.etebase-server = {
      enable = true;
      port = 8001;
      settings = {
        global.secret_file = "${config.age.secrets.etebase-server.path}";
        allowed_hosts = {
          allowed_host1 = "etebase.vhack.eu";
          allowed_host2 = "dav.vhack.eu";
        };
      };
    };

    age.secrets.etebase-server = {
      file = ./secret_file.age;
      mode = "700";
      owner = "etebase-server";
      group = "etebase-server";
    };

    environment.persistence."/srv".directories = [
      {
        directory = "/var/lib/etebase-server";
        user = "etebase-server";
        group = "etebase-server";
        mode = "0700";
      }
    ];

    services.nginx = {
      enable = true;
      recommendedTlsSettings = true;
      recommendedOptimisation = true;
      recommendedGzipSettings = true;
      recommendedProxySettings = true;

      virtualHosts = {
        "etebase.vhack.eu" = {
          enableACME = true;
          forceSSL = true;

          locations = {
            # TODO: Maybe fix permissions to use pregenerated static files which would
            # improve performance.
            #"/static" = {
            #  root = config.services.etebase-server.settings.global.static_root;
            #};
            "/" = {
              proxyPass = "http://127.0.0.1:${builtins.toString config.services.etebase-server.port}";
            };
          };
          serverAliases = [
            "dav.vhack.eu"
          ];
        };
      };
    };
  };
}