{
  config,
  pkgs,
  lib,
  ...
}:

let
  cfg = config.qois.static-page;
in
with lib;
{
  imports = [ ./default-pages.nix ];

  options.qois.static-page =
    let
      pageType =
        { name, ... }:
        {
          options = {
            domain = mkOption {
              type = types.str;
              default = name;
              description = ''
                Primary domain, under which the site is served.
                Only ASCII Domains are supported at this time.
                Note that changing this changes the root folder of the vhost in /var/lib/nginx-$domain/root and the ssh user to "nginx-$domain".
              '';
            };

            domainAliases = mkOption {
              type = types.listOf types.str;
              default = [ ];
              description = "Domain aliases which are forwarded to the primary domain";
            };

            authorizedKeys = mkOption {
              type = types.listOf types.str;
              default = [ ];
              description = "SSH keys for deployment";
            };
          };
        }

      ;
    in
    {
      enable = mkEnableOption "Enable static-page hosting";
      pages = mkOption {
        type = types.attrsOf (types.submodule (pageType));
      };
    };

  config = mkIf cfg.enable (
    let
      pageConfigs = concatMapAttrs (
        name: page:
        let
          home = "/var/lib/nginx-${page.domain}";
        in
        {
          "${page.domain}" = page // {
            inherit home;
            user = "${config.services.nginx.user}-${page.domain}";
            root = "${home}/root";
          };
        }
      ) cfg.pages;

    in
    {
      networking.hosts."127.0.0.1" = pipe pageConfigs [
        attrValues
        (map (page: [ page.domain ] ++ page.domainAliases))
        flatten
      ];

      users = {
        groups = concatMapAttrs (
          name:
          { user, ... }:
          {
            "${user}" = { };
          }
        ) pageConfigs;
        users =
          {
            ${config.services.nginx.user}.extraGroups = mapAttrsToList (domain: getAttr "user") pageConfigs;
          }
          // (concatMapAttrs (
            name:
            {
              user,
              home,
              authorizedKeys,
              ...
            }:
            {
              ${user} = {
                inherit home;
                isSystemUser = true;
                useDefaultShell = true;
                homeMode = "750";
                createHome = true;
                group = user;
                openssh.authorizedKeys.keys = authorizedKeys;
              };
            }
          ) pageConfigs);
      };

      services.nginx = {
        enable = true;
        virtualHosts =
          let
            defaultVhostConfig = {
              enableACME = true;
              forceSSL = true;
              kTLS = true;
            };
            mkVhost =
              { root, ... }:
              defaultVhostConfig
              // {
                inherit root;
              };
            mkAliasVhost =
              { domainAliases, domain, ... }:
              if (domainAliases == [ ]) then
                { }
              else
                ({
                  "${head domainAliases}" = defaultVhostConfig // {
                    serverAliases = tail domainAliases;
                    globalRedirect = domain;
                  };
                });
            aliasVhosts = concatMapAttrs (name: mkAliasVhost) pageConfigs;

          in
          aliasVhosts // (mapAttrs (name: mkVhost) pageConfigs);
      };
    }
  );
}