{
  flakes,
  pkgs,
  config,
  secrets,
  ...
}:
let
  cache = pkg: ''
    location ~* \.(png|jpg|jpeg|gif|svg|ico|woff|woff2|ttf)$ {
      expires max;
      add_header Cache-Control "public, no-transform";
      root ${pkg};
    }
  '';
  regular = "${flakes.homepage.packages.${pkgs.system}.website}";
  gay = "${flakes.homepage.packages.${pkgs.system}.website-gay}";
  ssl = {
    forceSSL = true;
    http2 = true;
    enableACME = true;
  };
  base =
    pkg:
    {
      extraConfig = cache pkg;
    }
    // ssl;
  site =
    pkg:
    {
      locations."/".root = pkg;
    }
    // (base pkg);
  redirect =
    return:
    {
      locations."/".return = return;
    }
    // ssl;

  package = flakes.homepage.packages.${pkgs.system};
in
{
  sops.secrets.homepage = {
    sopsFile = "${secrets}/homepage.env";
  };

  systemd.services.homepage = {
    description = "homepage";
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      DynamicUser = "yes";
      ExecStart = "${pkgs.bash}/bin/bash ${package.website}/bin/run";
      Restart = "on-failure";
      RestartSec = "5s";
      EnvironmentFile = config.sops.secrets.homepage.path;
      WorkingDirectory = "${package.website}";
      StateDirectory = "homepage";
    };

    environment = {
      BETTER_AUTH_URL = "https://donsz.nl";
      DATABASE_LOCATION = "/var/lib/homepage/db.sqlite";
      HOST = "localhost";
      PORT = "11020";
    };
  };

  services.nginx.virtualHosts = {
    "donsz.nl" = {
      forceSSL = true;
      enableACME = true;
      extraConfig = ''
        ${cache "${package.website}/homepage/client"}
      '';
      locations."/".proxyPass = "http://localhost:${toString 11020}";
    };
    "blog.donsz.nl" = redirect "301 https://donsz.nl/blog";
  };
  # services.nginx = {
  # virtualHosts = {
  #     "donsz.nl" = site regular;
  #     "jdonszelmann.nl" = site regular;
  #     "gay.donsz.nl" = site gay;
  #     "jana.is.fckn.gay" = site gay;
  # };
  # };
}