{
  config,
  pkgs,
  lib,
  ...
}:
with lib; let
  cfg = config.pub-solar.core;
in {
  options.pub-solar.core = {
    enableCaddy = mkOption {
      type = types.bool;
      default = !cfg.lite;
    };
    enableHelp = mkOption {
      type = types.bool;
      default = !cfg.lite;
    };

    binaryCaches = mkOption {
      type = types.listOf types.str;
      default = [];
      description = "Binary caches to use.";
    };
    publicKeys = mkOption {
      type = types.listOf types.str;
      default = [];
      description = "Public keys of binary caches.";
    };
  };
  config = {
    # disable NetworkManager and systemd-networkd -wait-online by default
    systemd.services.NetworkManager-wait-online.enable = lib.mkDefault false;
    systemd.services.systemd-networkd-wait-online.enable = lib.mkDefault false;

    networking.networkmanager = {
      # Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff.
      enable = true;
      # not as stable as wpa_supplicant yet, also more trouble with 5 GHz networks
      #wifi.backend = "iwd";
    };

    networking.firewall.enable = true;

    # Customized binary caches list (with fallback to official binary cache)
    nix.settings.substituters = cfg.binaryCaches;
    nix.settings.trusted-public-keys = cfg.publicKeys;

    # These entries get added to /etc/hosts
    networking.hosts = {
      "127.0.0.1" =
        []
        ++ lib.optionals cfg.enableCaddy ["caddy.local"]
        ++ lib.optionals config.pub-solar.printing.enable ["cups.local"]
        ++ lib.optionals cfg.enableHelp ["help.local"];
    };

    # Changing the Caddyfile should only trigger a reload, not a restart
    systemd.services.caddy.reloadTriggers = [
      config.services.caddy.configFile
    ];

    # Caddy reverse proxy for local services like cups
    services.caddy = {
      enable = cfg.enableCaddy;
      globalConfig = ''
        default_bind 127.0.0.1
        auto_https off
      '';
      extraConfig = concatStringsSep "\n" [
        (lib.optionalString
          config.pub-solar.printing.enable
          ''
            cups.local:80 {
              request_header Host localhost:631
              reverse_proxy unix//run/cups/cups.sock
            }
          '')

        (lib.optionalString
          cfg.enableHelp
          ''
            help.local:80 {
              root * ${pkgs.psos-docs}/lib/html
              # Caddy builds the etag with only the file size & latest modified
              # date, which is always 1970-01-01 in the Nix store
              header -ETag
              file_server
            }
          '')
      ];
    };
  };
}