{
  config,
  inputs,
  lib,
  libNginx,
  this,
  ...
}:
let
  cfg = config.nixfiles.modules.ntfy;
in
{
  options.nixfiles.modules.ntfy = {
    enable = lib.mkEnableOption "ntfy";

    port = lib.mkOption {
      description = "Port.";
      type = lib.types.port;
      default = 2586;
    };

    domain = lib.mkOption {
      description = "Domain name sans protocol scheme.";
      type = lib.types.str;
      default = "ntfy.${config.networking.domain}";
    };

    prometheus = {
      enable = lib.mkEnableOption "Prometheus exporter." // {
        default = true;
      };

      address = lib.mkOption {
        description = "Address.";
        type = lib.types.str;
        default = this.wireguard.ipv4.address;
      };

      port = lib.mkOption {
        description = "Port.";
        type = lib.types.port;
        default = 9289;
      };
    };
  };

  config = lib.mkIf cfg.enable {
    ark.files = [ config.services.ntfy-sh.settings.auth-file ];

    nixfiles.modules.nginx = {
      enable = true;
      upstreams.ntfy.servers.${config.services.ntfy-sh.settings.listen-http} = { };
      virtualHosts.${cfg.domain} = {
        locations = {
          "/" = {
            proxyPass = "http://ntfy";
            proxyWebsockets = true;
          };
          "/metrics".extraConfig = ''
            deny all;
          '';
        };
        extraConfig = libNginx.config.internalOnly;
      };
    };

    services.ntfy-sh = {
      enable = true;
      settings = {
        listen-http = "127.0.0.1:${toString cfg.port}";
        base-url = "https://${cfg.domain}";
        behind-proxy = true;
        enable-metrics = cfg.prometheus.enable;
        metrics-listen-http = with cfg.prometheus; lib.optionalString enable "${address}:${toString port}";
      };
    };

    topology.nodes.${this.hostname}.services.ntfy = {
      name = "ntfy";
      icon = "${inputs.homelab-svg-assets}/assets/ntfy.svg";
      info = cfg.domain;
      details.listen.text = config.services.ntfy-sh.settings.listen-http;
    };
  };
}