{ domain, ... }:
{ pkgs, lib, config, ... }:
let
  inherit (config) networking;
  inherit (config.security) gnupg;
  inherit (config.services) nginx;
  srv = "losurdo";
  root = "/var/lib/nginx";
  onion = "dfc66yn2fundui5yvq2ndx4nmcmbxpho4ji32tlc4cncrjvs2b5yu4id";
in
{
services.tor = {
  relay.onionServices."nginx/${domain}/${srv}" = {
    secretKey = gnupg.secrets."tor/onion/${onion}/hs_ed25519_secret_key".path;
    map = [
      80
      #{ port = 443; target = { port = 8443; }; }
    ];
    /*
    authorizedClients = [
      "descriptor:x25519:2EZQ3AOZXERDVSN6WO5LNSCOIIPL2AT2A7KOS4ZIYNVQDR5EFM2Q" # julm
    ];
    */
  };
  /*
  client.onionServices.${onion} = {
    clientAuthorizations = [
      gnupg.secrets."tor/auth/julm".path
    ];
  };
  */
};
security.gnupg.secrets = lib.genAttrs [
  "tor/onion/${onion}/hs_ed25519_secret_key"
  "tor/auth/julm"
  ] (secret: {
    systemdConfig.before = [ "tor.service" ];
    systemdConfig.wantedBy = [ "tor.service" ];
  }) // {
  "nginx/perso/htpasswd" = {
    # Generated with: for i in $PASSWORD_STORE_DIR/hosts/losurdo/nginx/perso/htpasswd/*.gpg; do i="${i#$PASSWORD_STORE_DIR/}"; i=${i%.gpg}; printf %s: "${i##*/}"; pass $i | openssl passwd -apr1 -stdin; done | pass insert -m hosts/losurdo/nginx/perso/htpasswd
    # Then: nix flake lock --update-input pass
    systemdConfig.before = [ "nginx.service" ];
    systemdConfig.wantedBy = [ "nginx.service" ];
    user = nginx.user;
    group = nginx.group;
  };
};
services.nginx = {
  virtualHosts."${onion}.onion" = {
    root = root + "/dl";
    extraConfig = ''
      access_log /var/log/nginx/${domain}/${srv}/access.json json buffer=32k;
      error_log  /var/log/nginx/${domain}/${srv}/error.log warn;
    '';
    locations."/".extraConfig = ''
      autoindex on;
      fancyindex on;
      fancyindex_exact_size off;
      fancyindex_name_length 255;
      open_file_cache off;
      #open_file_cache_valid 1s;
    '';
  };
  virtualHosts."${srv}.${domain}" = {
    serverAliases = [ domain ];
    #onlySSL = true;
    #addSSL = true;
    forceSSL = true;
    useACMEHost = domain;
    root = root;
    extraConfig = ''
      access_log /var/log/nginx/${domain}/${srv}/access.json json buffer=32k;
      error_log  /var/log/nginx/${domain}/${srv}/error.log warn;
    '';
    locations."/".extraConfig = ''
      #autoindex on;
      return 444;
    '';
    locations."/dl".extraConfig = ''
      autoindex on;
      fancyindex on;
      fancyindex_exact_size off;
      fancyindex_name_length 255;
      open_file_cache off;
      #open_file_cache_valid 1s;
    '';
    locations."/julm".extraConfig = ''
      autoindex on;
      fancyindex on;
      fancyindex_exact_size off;
      fancyindex_name_length 255;
      open_file_cache off;
      #open_file_cache_valid 1s;
    '';
    locations."/haskell".extraConfig = ''
      autoindex on;
      fancyindex on;
      fancyindex_exact_size off;
      fancyindex_name_length 255;
      open_file_cache off;
      #open_file_cache_valid 1s;
    '';
    locations."/perso".extraConfig = ''
      auth_basic "authentication required";
      auth_basic_user_file ${gnupg.secrets."nginx/perso/htpasswd".path};
      autoindex on;
    '';
  };
};
systemd.services.nginx = {
  serviceConfig = {
    LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
    BindReadOnlyPaths = [
      "/home/julm/work/sourcephile/web:${root}/julm"
      "/home/julm/dl:${root}/dl"
      "/home/julm/work/sourcephile/haskell:${root}/haskell"
      "/home/julm/perso:${root}/perso"
    ];
  };
};
}