{
  lib,
  config,
  ...
}:
let
  backendEnabled = config.mod.whib-backend.enable;
  frontendEnabled = config.mod.whib-frontend.enable;
in
{
  options = {
    mod.whib-backend = {
      enable = lib.mkEnableOption "enable WHIB backend";
    };

    mod.whib-frontend = {
      enable = lib.mkEnableOption "enable WHIB frontend";
    };
  };

  config = {
    assertions = lib.mkIf backendEnabled [
      {
        assertion = config.services.nginx.enable;
        message = "Option 'config.services.nginx' must be enabled";
      }
    ];

    services.whib-backend = lib.mkIf backendEnabled {
      enable = true;

      backend = {
        domain = "api.whib.ppp.pm";
        useACMEHost = "api.whib.ppp.pm";

        environmentFile = config.age.secrets.whib-backend-env-vars.path;
      };

      postgres = {
        environmentFile = config.age.secrets.whib-postgres-env-vars.path;

        backup = {
          interval = "*-*-* 00:00:00 UTC";

          environmentFile = config.age.secrets.whib-postgres-backup-env-vars.path;
          gpgPassphraseFile = config.age.secrets.whib-gpg-key.path;
        };
      };

      grafana = {
        domain = "grafana.whib.ppp.pm";
        useACMEHost = "grafana.whib.ppp.pm";

        environmentFile = config.age.secrets.whib-grafana-env-vars.path;
      };
    };

    services.whib-frontend = lib.mkIf frontendEnabled {
      enable = true;

      domain = "whib.ppp.pm";
      useACMEHost = "whib.ppp.pm";
      backendHost = "api.whib.ppp.pm";
    };

    age.secrets = {
      "whib-backend-env-vars".file = ../../../../secrets/tadpole/whib-backend-env-vars.age;
      "whib-postgres-env-vars".file = ../../../../secrets/tadpole/whib-postgres-env-vars.age;

      "whib-postgres-backup-env-vars".file =
        ../../../../secrets/tadpole/whib-postgres-backup-env-vars.age;
      "whib-gpg-key".file = ../../../../secrets/tadpole/whib-gpg-key.age;

      "whib-grafana-env-vars".file = ../../../../secrets/tadpole/whib-grafana-env-vars.age;
    };
  };
}