{ domain, ... }:
{ pkgs, lib, config, ... }:
let
  inherit (config) networking;
  inherit (config.security) gnupg;
  inherit (config.services) nginx;
  srv = "losurdo";
in
{
services.nginx = {
  virtualHosts."${srv}" = {
    serverName = "${srv}.${domain}";
    serverAliases = [ domain ];
    listen = [ { addr = "0.0.0.0"; port = 8443; ssl = true; } ];
    onlySSL = true;
    #forceSSL = true;
    useACMEHost = domain;
    root = "/var/lib/nginx";
    extraConfig = ''
      access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
      error_log  /var/log/nginx/${domain}/${srv}/error.log warn;
    '';
    locations."/".extraConfig = ''
      autoindex off;
    '';
    locations."/julm".extraConfig = ''
      autoindex on;
      fancyindex on;
      fancyindex_exact_size off;
      fancyindex_name_length 255;
    '';
    locations."/sevy".extraConfig = ''
      auth_basic "sevy's area";
      auth_basic_user_file ${gnupg.secrets."nginx/sevy/htpasswd".path};
      autoindex off;
    '';
  };
};
systemd.services.nginx = {
  serviceConfig.LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
  wants = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
  after = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
};
security.gnupg.secrets."nginx/sevy/htpasswd" = {
  # Generated with: echo "$user:$(openssl passwd -apr1)"
  user = nginx.user;
  group = nginx.group;
};
}