{ domain, ... }:
{ lib, config, hostName, ... }:
let
  inherit (config.security) gnupg;
  inherit (config.services) nginx;
  root = "/var/lib/nginx";
  onion = "dfc66yn2fundui5yvq2ndx4nmcmbxpho4ji32tlc4cncrjvs2b5yu4id";
in
{
  services.tor = {
    relay.onionServices."nginx/${domain}/${hostName}" = {
      secretKey = gnupg.secrets."tor/onion/${onion}/hs_ed25519_secret_key".path;
      map = [
        80
        #{ port = 443; target = { port = 8443; }; }
      ];
      /*
        authorizedClients = [
      "descriptor:x25519:2EZQ3AOZXERDVSN6WO5LNSCOIIPL2AT2A7KOS4ZIYNVQDR5EFM2Q" # julm
        ];
      */
    };
    /*
      client.onionServices.${onion} = {
      clientAuthorizations = [
      gnupg.secrets."tor/auth/julm".path
      ];
      };
    */
  };
  security.gnupg.secrets = lib.genAttrs [
    "tor/onion/${onion}/hs_ed25519_secret_key"
    "tor/auth/julm"
  ]
    (_secret: {
      systemdConfig.before = [ "tor.service" ];
      systemdConfig.wantedBy = [ "tor.service" ];
    }) // {
    "nginx/perso/htpasswd" = {
      # Generated with: for i in $PASSWORD_STORE_DIR/hosts/losurdo/nginx/perso/htpasswd/*.gpg; do i="${i#$PASSWORD_STORE_DIR/}"; i=${i%.gpg}; printf %s: "${i##*/}"; pass $i | openssl passwd -apr1 -stdin; done | pass insert -m hosts/losurdo/nginx/perso/htpasswd
      # Then: nix flake lock --update-input pass
      systemdConfig.before = [ "nginx.service" ];
      systemdConfig.wantedBy = [ "nginx.service" ];
      user = nginx.user;
      group = nginx.group;
    };
  };
  services.nginx = {
    virtualHosts."${onion}.onion" = {
      root = root + "/dl";
      extraConfig = ''
        access_log /var/log/nginx/${domain}/${hostName}/access.json json buffer=32k;
        error_log  /var/log/nginx/${domain}/${hostName}/error.log warn;
      '';
      locations."/".extraConfig = ''
        autoindex on;
        fancyindex on;
        fancyindex_exact_size off;
        fancyindex_name_length 255;
        open_file_cache off;
        #open_file_cache_valid 1s;
      '';
    };
    virtualHosts."${hostName}.${domain}" = {
      serverAliases = [ domain ];
      #onlySSL = true;
      #addSSL = true;
      forceSSL = true;
      useACMEHost = domain;
      root = root;
      extraConfig = ''
        access_log /var/log/nginx/${domain}/${hostName}/access.json json buffer=32k;
        error_log  /var/log/nginx/${domain}/${hostName}/error.log warn;
      '';
      locations."/".extraConfig = ''
        #autoindex on;
        return 444;
      '';
      locations."/dl".extraConfig = ''
        autoindex on;
        fancyindex on;
        fancyindex_exact_size off;
        fancyindex_name_length 255;
        open_file_cache off;
        #open_file_cache_valid 1s;
      '';
      locations."/julm".extraConfig = ''
        autoindex on;
        fancyindex on;
        fancyindex_exact_size off;
        fancyindex_name_length 255;
        open_file_cache off;
        #open_file_cache_valid 1s;
      '';
      locations."/haskell".extraConfig = ''
        autoindex on;
        fancyindex on;
        fancyindex_exact_size off;
        fancyindex_name_length 255;
        open_file_cache off;
        #open_file_cache_valid 1s;
      '';
      locations."/perso" = {
        basicAuthFile = gnupg.secrets."nginx/perso/htpasswd".path;
        extraConfig = ''
          autoindex on;
        '';
      };
    };
  };
  systemd.services.nginx = {
    serviceConfig = {
      LogsDirectory = lib.mkForce [
        "nginx/${domain}/${hostName}"
        "nginx/wg-intra/${hostName}"
      ];
      BindReadOnlyPaths = [
        "/home/julm/work/sourcephile/web:${root}/julm"
        "/home/julm/dl:${root}/dl"
        "/home/julm/work/sourcephile/haskell:${root}/haskell"
        "/home/julm/perso:${root}/perso"
      ];
    };
  };
}