{
  config,
  lib,
  libNginx,
  ...
}:
with lib;
let
  cfg = config.nixfiles.modules.gotify;
in
{
  options.nixfiles.modules.gotify = {
    enable = mkEnableOption "Gotify";

    domain = mkOption {
      description = "Domain name sans protocol scheme.";
      type = with types; str;
      default = "gotify.${config.networking.domain}";
    };
  };

  config =
    let
      db = "gotify";
    in
    mkIf cfg.enable {
      nixfiles.modules = {
        nginx = {
          enable = true;
          upstreams.gotify.servers."127.0.0.1:${toString config.services.gotify.port}" = { };
          virtualHosts.${cfg.domain} = {
            locations."/" = {
              proxyPass = "http://gotify";
              proxyWebsockets = true;
            };
            extraConfig = libNginx.config.internalOnly;
          };
        };
        postgresql = {
          enable = true;
          extraPostStart = [
            ''
              $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"'
            ''
          ];
        };
      };

      services = {
        gotify = {
          enable = true;
          port = 7665;
        };

        postgresql = {
          ensureDatabases = [ db ];
          ensureUsers = [
            {
              name = db;
              ensureDBOwnership = true;
            }
          ];
        };
      };

      systemd.services.gotify-server = {
        after = [
          "network-online.target"
          "postgresql.service"
        ];
        environment = {
          GOTIFY_DATABASE_DIALECT = "postgres";
          GOTIFY_DATABASE_CONNECTION = concatStringsSep " " [
            "host=/run/postgresql"
            "user=${db}"
            "dbname=${db}"
            "sslmode=disable"
          ];
        };
      };
    };
}