{ pkgs, lib, config, hostName, ... }:
let
  inherit (config) networking;
  inherit (config.services) nginx;
in
{
imports = [
  ../../nixos/profiles/services/nginx.nix
  nginx/sourcephile.fr.nix
];
users.groups."acme".members = [nginx.user];
users.groups."keys".members = [nginx.user];
users.groups."transmission".members = [nginx.user];
networking.nftables.ruleset = ''
  table inet filter {
    chain input-net {
      tcp dport { http, https } counter accept comment "HTTP(S)"
    }
  }
'';
fileSystems."/var/lib/nginx" = {
  device = "${hostName}/var/www";
  fsType = "zfs";
};
services.upnpc.redirections = [
  { description = "HTTP"; externalPort =  80; protocol = "TCP"; duration = 30 * 60;
    service.wantedBy = ["nginx.service"];
    service.partOf = ["nginx.service"];
  }
  { description = "HTTPS"; externalPort = 443; protocol = "TCP"; duration = 30 * 60;
    service.wantedBy = ["nginx.service"];
    service.partOf = ["nginx.service"];
  }
];
services.nginx = {
  enable = true;
  package = pkgs.nginx.override {
    modules = with pkgs.nginxModules; [
      fancyindex
    ];
  };
  resolver = {
    addresses = [ "127.0.0.1:53" ];
    valid = "";
  };
  virtualHosts."_" = {
    default = true;
    extraConfig = ''
      # Connection closed without response
      return 444;
    '';
    forceSSL = true;
    useACMEHost = networking.domain;
  };
};
}