{
    config,
    lib,
    pkgs,
    ...
}: let
    cfg = config.services.anki-sync-server;

    inherit (lib.meta) getExe';
    inherit (lib.modules) mkIf;
    inherit (lib.options) mkEnableOption mkOption;
    inherit (lib.types) bool package port str;
in {
    options.services.anki-sync-server = {
        enable = mkEnableOption "anki-sync-server";

        package = mkOption {
            type = package;
            default = pkgs.anki-bin;
            description = "The package to use for the anki sync server.";
        };

        host = mkOption {
            type = str;
            default = "localhost";
            description = "anki-sync-server host";
        };

        port = mkOption {
            type = port;
            default = 27701;
            description = "anki-sync-server port";
        };

        openFirewall = mkOption {
            default = false;
            type = bool;
            description = "Whether to open the firewall for the specified port.";
        };
    };

    config = mkIf cfg.enable {
        networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];

        systemd.services.anki-sync-server = {
            description = "Selfhosted Anki sync server.";
            after = [ "network.target" ];
            wantedBy = [ "multi-user.target" ];
            path = [ cfg.package ];

            serviceConfig = {
                Type = "simple";
                DynamicUser = true;
                StateDirectory = "anki-sync-server";
                ExecStart = "${getExe' cfg.package "anki"} --syncserver";
                Environment = ''SYNC_BASE="/var/lib/anki-sync-server" SYNC_HOST="${cfg.host}" SYNC_PORT="${cfg.port}"'';
                EnvironmentFile = config.age.secrets.anki-user-credentials.path;
                Restart = "always";
            };
        };
    };
}