{
  pkgs,
  inputs,
  config,
  lib,
  ...
}:
let
  cfg = config.services.workout-sync;
  fqdn = "${cfg.subdomain}.${config.networking.domain}";
  port = cfg.port;
  workout-sync = inputs.workout-sync.packages.${pkgs.stdenv.hostPlatform.system}.default;
in
{
  options.services.workout-sync = {
    enable = lib.mkEnableOption "Enable Workout Sync";
    subdomain = lib.mkOption {
      type = lib.types.str;
    };
    port = lib.mkOption {
      type = lib.types.int;
      default = 3344;
    };
  };

  config = lib.mkIf cfg.enable {
    services.workout-tracker.enable = lib.mkDefault true;

    systemd.services.workout-sync = {
      enable = true;
      description = "Workout sync service";
      environment = {
        PORT = toString port;
        WORKOUT_TRACKER_URL = "http://localhost:${toString config.services.workout-tracker.port}";
      };
      serviceConfig = {
        ExecStart = "${workout-sync}/bin/workout-sync";
        Restart = "always";
        DynamicUser = true;
        BindReadOnlyPaths = [
          /run/systemd/resolve/stub-resolv.conf
          /etc/ssl
          /etc/static/ssl
          /etc/resolv.conf
          /etc/static/resolv.conf
          /etc/nsswitch.conf
          /etc/static/nsswitch.conf
          /etc/hosts
        ];
      };
      wantedBy = [ "multi-user.target" ];
      confinement.enable = true;
    };

    services = {
      webserver = {
        enable = lib.mkDefault true;
        vHosts.${fqdn}.locations."/" = {
          proxyPort = port;
          extraConfig = ''
            client_max_body_size 50m;
            proxy_send_timeout   300;
            proxy_read_timeout   300;
            send_timeout         300;
          '';
        };
      };
    };
  };
}