{
  lib,
  config,
  pkgs,
  pkgs-unstable,
  ...
}:
let
  cfg = config.services.dnote;
  fqdn = "${cfg.subdomain}.${config.networking.domain}";

  types = {
    environment = lib.types.submodule {
      options = {
        DBName = lib.mkOption {
          type = lib.types.str;
          default = "dnote";
        };
        SmtpHost = lib.mkOption {
          type = lib.types.nullOr lib.types.str;
          default = null;
        };
        SmtpPort = lib.mkOption {
          type = lib.types.nullOr lib.types.int;
          default = null;
        };
        SmtpUsername = lib.mkOption {
          type = lib.types.nullOr lib.types.str;
          default = null;
        };
        SmtpPassword = lib.mkOption {
          type = lib.types.nullOr lib.types.str;
          default = null;
        };
      };
    };
  };

  immutableEnvironment = {
    GO_ENV = "PRODUCTION";
    OnPremises = true;
    DBHost = "/var/run/postgresql";
    DBPort = config.services.postgresql.settings.port;
    DBUser = cfg.user;
    WebURL = "https://${fqdn}";
  };

  serializeEnvVar =
    value: if (lib.isBool value) then if value then "true" else "false" else toString value;
in
{
  options.services.dnote = {
    enable = lib.mkEnableOption "Enable dnote server";
    subdomain = lib.mkOption {
      type = lib.types.str;
    };
    user = lib.mkOption {
      type = lib.types.str;
      default = "dnote";
    };
    port = lib.mkOption {
      type = lib.types.int;
      default = 3040;
    };
    environment = lib.mkOption {
      type = types.environment;
      default = { };
    };
    environmentFile = lib.mkOption {
      type = lib.types.nullOr lib.types.path;
      default = null;
    };
  };

  config = lib.mkIf cfg.enable {
    users = {
      users.${cfg.user} = {
        isSystemUser = true;
        group = cfg.user;
      };
      groups.${cfg.user} = { };
    };

    systemd.services.dnote = {
      enable = true;
      description = "Dnote server";
      environment = lib.mapAttrs (_: value: serializeEnvVar value) (
        cfg.environment // immutableEnvironment
      );
      after = [ "postgresql.service" ];
      requires = [ "postgresql.service" ];
      serviceConfig = {
        ExecStart = "${pkgs-unstable.dnote}/bin/dnote-server -port ${toString cfg.port} start";
        EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
        User = cfg.user;
        BindPaths = [
          "/var/run/postgresql"
        ];
        BindReadOnlyPaths = [
          /run/systemd/resolve/stub-resolv.conf
          /etc/ssl
          /etc/static/ssl
          /etc/resolv.conf
          /etc/static/resolv.conf
          /etc/nsswitch.conf
          /etc/static/nsswitch.conf
          /etc/hosts
        ];
      };
      confinement = {
        enable = true;
        packages = [ pkgs.cacert ];
      };
      wantedBy = [ "multi-user.target" ];
    };

    services = {
      postgresql = {
        enable = lib.mkDefault true;
        ensureDatabases = [ cfg.environment.DBName ];
        ensureUsers = [
          {
            name = cfg.user;
            ensureDBOwnership = true;
          }
        ];
      };

      webserver = {
        enable = lib.mkDefault true;
        vHosts.${fqdn} = {
          proxyBuffering = false;
          locations."/".proxyPort = cfg.port;
        };
      };
    };
  };
}