{
  lib,
  config,
  ...
}: let
  cfg = config.services.ddclient-hetzner;
in {
  options.services.ddclient-hetzner = with lib; {
    enable = mkEnableOption "Enable ddclient-hetzner";
    zone = mkOption {type = types.str;};
    domains = mkOption {type = types.listOf types.str;};
    passwordFile = mkOption {type = types.path;};
  };

  config = lib.mkIf cfg.enable {
    users.groups.ddclient = {};
    users.users.ddclient = {
      isSystemUser = true;
      group = "ddclient";
    };

    services.ddclient = {
      enable = cfg.enable;
      verbose = true;
      protocol = "hetzner";

      # see https://github.com/ddclient/ddclient/blob/a4eab34ab4719d1e2146d8c9c4449b70dd7e0163/ddclient.in#L775
      username = "token";

      inherit (cfg) zone domains passwordFile;

      extraConfig = ''
      '';
    };

    systemd.services.ddclient.serviceConfig.User = config.users.users.ddclient.name;
    systemd.services.ddclient.serviceConfig.Group = config.users.groups.ddclient.name;
  };
}