{
  config,
  lib,
  pkgs,
  ...
}: let
  inherit
    (lib)
    mkEnableOption
    mkIf
    mkOption
    ;

  cfg = config.my.services.fava;
  my = config.my;

  domain = config.networking.domain;
  hostname = config.networking.hostName;
  fqdn = "${hostname}.${domain}";

  secrets = config.my.secrets;
in {
  options.my.services.fava = let
    inherit (lib) types;
  in {
    enable = mkEnableOption "Fava";

    home = mkOption {
      type = types.str;
      default = "/var/lib/fava";
      example = "/var/lib/fava";
      description = "Home for the fava service, where data will be stored";
    };

    port = mkOption {
      type = types.port;
      default = 8080;
      example = 8080;
      description = "Internal port for Fava";
    };

    filePath = mkOption {
      type = types.str;
      example = "my_dir/money.beancount";
      description = "File to load in Fava";
    };
  };

  config = mkIf cfg.enable {
    systemd.services.fava = {
      wantedBy = ["multi-user.target"];
      serviceConfig = {
        Environment = [];
        ExecStart = "${pkgs.fava}/bin/fava -H 127.0.0.1 -p ${toString cfg.port} ${cfg.home}/${cfg.filePath}";
        WorkingDirectory = cfg.home;
        User = "fava";
        Group = "fava";
      };
    };

    users.users.fava = {
      isSystemUser = true;
      home = cfg.home;
      createHome = true;
      group = "fava";
    };
    users.groups.fava = {};

    services.nginx.virtualHosts = {
      "fava.${domain}" = {
        forceSSL = true;
        useACMEHost = fqdn;

        listen = [
          # FIXME: hardcoded tailscale IP
          {
            addr = "100.80.61.67";
            port = 443;
            ssl = true;
          }
          {
            addr = "100.80.61.67";
            port = 80;
            ssl = false;
          }
        ];

        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString cfg.port}";
        };
      };
    };

    security.acme.certs.${fqdn}.extraDomainNames = ["fava.${domain}"];
  };
}