{ lib, config, hostName, ... }:
with (import ../networking/names-and-numbers.nix);
let
  inherit (config.networking) domain;
  root = "/var/lib/nginx";
in
{
  services.nginx = {
    virtualHosts."${hostName}.${domain}" = {
      serverAliases = [
        "${wifiIPv4}.1"
        "${eth1IPv4}.1"
        "${eth2IPv4}.1"
        "${eth3IPv4}.1"
      ];
      #onlySSL = true;
      #addSSL = true;
      #forceSSL = true;
      #useACMEHost = domain;
      root = root;
      extraConfig = ''
        access_log /var/log/nginx/${domain}/${hostName}/access.json json buffer=32k;
        error_log  /var/log/nginx/${domain}/${hostName}/error.log warn;
      '';
      locations."/".extraConfig = ''
        #autoindex on;
        return 444;
      '';
      locations."/perso/photo" = {
        #basicAuthFile = gnupg.secrets."nginx/perso/htpasswd".path;
        extraConfig = ''
          autoindex on;
          #fancyindex on;
          #fancyindex_exact_size off;
          #fancyindex_name_length 255;
          open_file_cache off;
          #open_file_cache_valid 1s;
        '';
      };
      locations."/perso/camera" = {
        #basicAuthFile = gnupg.secrets."nginx/perso/htpasswd".path;
        extraConfig = ''
          autoindex on;
          #fancyindex on;
          #fancyindex_exact_size off;
          #fancyindex_name_length 255;
          open_file_cache off;
          #open_file_cache_valid 1s;
        '';
      };
    };
  };
  systemd.services.nginx = {
    serviceConfig = {
      LogsDirectory = lib.mkForce [
        "nginx/${domain}/${hostName}"
      ];
      BindReadOnlyPaths = [
        "-/mnt/off2/julm/backup/das1/julm/perso/photo:${root}/perso/photo"
        "-/mnt/off2/julm/perso/camera:${root}/perso/camera"
      ];
    };
  };
}