{ pkgs, lib, config, ... }:
let
  inherit (config) networking;
  inherit (config.services) nginx;
in
{
imports = [
  ../../nixos/profiles/services/nginx.nix
  nginx/autogeree.net.nix
  nginx/sourcephile.fr.nix
];
users.groups."acme".members = [nginx.user];
users.groups."keys".members = [nginx.user];
networking.nftables.ruleset = ''
  add rule inet filter net2fw tcp dport 80 counter accept comment "HTTP"
  add rule inet filter net2fw tcp dport 443 counter accept comment "HTTPS"
'';
services.nginx = {
  enable = true;
  package = pkgs.nginx.override {
    modules = with pkgs.nginxModules; [
      fancyindex
    ];
  };
  resolver = {
    addresses = [ "127.0.0.1:53" ];
    valid = "";
  };
  virtualHosts."_" = {
    forceSSL = true;
    useACMEHost = networking.domain;
  };
};
fileSystems."/var/lib/nginx" = {
  device = "rpool/var/www";
  fsType = "zfs";
};
services.sanoid.datasets."rpool/var/www" = {
  use_template = [ "local" ];
  daily = 7;
};
}