{
  lib,
  config,
  ...
}: let
  cfg = config.services.tailscale-redirects;
in {
  options.services.tailscale-redirects = with lib; {
    enable = mkEnableOption "tailscale-redirects";
    tailnet = mkOption {
      type = types.str;
      example = "tail-scale.ts.net";
      description = "The [tailnet name](https://tailscale.com/kb/1217/tailnet-name) to use for all redirects.";
    };
    services = mkOption {
      type = types.listOf types.str;
      example = ''[ "grafana" "linkwarden" "beszel" ]'';
      description = "A list of the service names to be given HTTP and shortname redirects to their FQDN HTTPS equivalents.";
    };
  };

  config = lib.mkIf cfg.enable {
    assertions = [
      {
        assertion = config.services.caddy.enable;
        message = "services.tailscale-redirects only works when services.caddy is enabled";
      }
    ];

    services.caddy.virtualHosts = let
      redirect = svc: "redir https://${svc}.${cfg.tailnet} 308";
      serviceMapping = lib.concatMapAttrs (key: _value: {
        "http://${key}".extraConfig = redirect key;
        "http://${key}.${cfg.tailnet}".extraConfig = redirect key;
      }) (lib.genAttrs cfg.services (svc: null));
    in
      serviceMapping;
  };
}