{
  pkgs,
  config,
  lib,
  ...
}: let
  createAdminUser = pkgs.writeShellApplication {
    name = "create-admin-user";
    runtimeInputs = [config.services.ntfy-sh.package];
    text = ''
      file="/var/lib/ntfy-sh/admin-created"
      if [ ! -f $file ]; then
        NTFY_PASSWORD="$(cat "${config.clan.core.vars.generators.ntfy.files.password.path}")" ntfy user add --role=admin admin
        touch "$file"
      fi
    '';
  };
in {
  clan.core.vars.generators."ntfy" = {
    prompts.password = {
      type = "hidden";
      persist = true;
      description = "Leave empty to generate automatically";
    };

    files.password = {};

    runtimeInputs = [
      pkgs.coreutils
      pkgs.xkcdpass
    ];

    script = ''
      prompt_value="$(cat "$prompts/password")"
      if [[ -n "''${prompt_value-}" ]]; then
        echo "$prompt_value" | tr -d "\n" > "$out"/password
      else
        xkcdpass --numwords 4 --delimiter - --count 1 | tr -d "\n" > "$out"/password
      fi
    '';
  };
  services.ntfy-sh = {
    enable = true;
    settings = {
      base-url = "https://ntfy.moritz.place";
      listen-http = ":2586";
      behind-proxy = true;
      auth-default-access = "deny-all";
    };
  };

  systemd.services.ntfy-sh-setup = {
    description = "Setup ntfy user";
    wantedBy = ["default.target"];
    requires = ["ntfy-sh.service"];
    after = ["ntfy-sh.service"];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStart = lib.getExe createAdminUser;
    };
  };

  services.nginx.virtualHosts."ntfy.moritz.place" = {
    forceSSL = true;
    useACMEHost = "any.moritz.place";
    locations."/" = {
      proxyPass = "http://127.0.0.1:2586";
      proxyWebsockets = true;
    };
  };
}