{
  options,
  lib,
  config,
  ...
}: let
  cfg = config.services.podcastitlater-web;
  rootDomain = "bensima.com";
  ports = import ../../Omni/Cloud/Ports.nix;
in {
  options.services.podcastitlater-web = {
    enable = lib.mkEnableOption "Enable the PodcastItLater web service";
    port = lib.mkOption {
      type = lib.types.int;
      default = 8000;
      description = ''
        The port on which PodcastItLater web will listen for
        incoming HTTP traffic.
      '';
    };
    dataDir = lib.mkOption {
      type = lib.types.path;
      default = "/var/podcastitlater";
      description = "Data directory for PodcastItLater (shared with worker)";
    };
    package = lib.mkOption {
      type = lib.types.package;
      description = "PodcastItLater web package to use";
    };
  };
  config = lib.mkIf cfg.enable {
    systemd.services.podcastitlater-web = {
      path = [cfg.package];
      wantedBy = ["multi-user.target"];
      preStart = ''
        # Create data directory if it doesn't exist
        mkdir -p ${cfg.dataDir}

        # Manual step: create this file with secrets
        # MAILGUN_WEBHOOK_KEY=your-mailgun-webhook-key
        # SECRET_KEY=your-secret-key-for-sessions
        # SESSION_SECRET=your-session-secret
        # EMAIL_FROM=noreply@podcastitlater.bensima.com
        # SMTP_SERVER=smtp.mailgun.org
        # SMTP_PASSWORD=your-smtp-password
        test -f /run/podcastitlater/env
      '';
      script = ''
        ${cfg.package}/bin/podcastitlater-web
      '';
      description = ''
        PodcastItLater Web Service
      '';
      serviceConfig = {
        Environment = [
          "PORT=${toString cfg.port}"
          "AREA=Live"
          "DATABASE_PATH=${cfg.dataDir}/podcast.db"
          "BASE_URL=https://podcastitlater.${rootDomain}"
        ];
        EnvironmentFile = "/run/podcastitlater/env";
        KillSignal = "INT";
        Type = "simple";
        Restart = "on-abort";
        RestartSec = "1";
      };
    };

    # Nginx configuration
    services.nginx = {
      enable = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      statusPage = true;

      virtualHosts."podcastitlater.${rootDomain}" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:${toString cfg.port}";
          proxyWebsockets = true;
        };
      };
    };

    # Ensure firewall allows web traffic
    networking.firewall.allowedTCPPorts = [ports.ssh ports.http ports.https];
  };
}