{ domain, ... }:
{ pkgs, lib, config, ... }:
let
  inherit (config) networking;
  inherit (config.security) gnupg;
  inherit (config.services) nginx;
  srv = "www";
  root = "/var/lib/nginx/${domain}";
in
{
systemd.services.nginx.serviceConfig = {
  BindPaths = [
    "/home/julm/work/perso:${root}/julm"
  ];
  StateDirectory = [
    "nginx/${domain}/julm"
  ];
  LogsDirectory = lib.mkForce [
    "nginx/${domain}/${srv}"
  ];
};
services.nginx = {
  virtualHosts."${domain}.${srv}" = {
    serverAliases = [ domain ];
    forceSSL = true;
    useACMEHost = domain;
    root = "${root}/${srv}";
    extraConfig = ''
      access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
      error_log  /var/log/nginx/${domain}/${srv}/error.log warn;
    '';
    locations."/".extraConfig = ''
      #autoindex on;
      fancyindex on;
      fancyindex_name_length 255;
      fancyindex_exact_size off;
    '';
    locations."/julm/" = {
      alias = "${root}/julm/";
      extraConfig = ''
        autoindex off;
      '';
    };
    locations."/julm/PC/" = {
      alias = "${root}/julm/PC/";
      basicAuthFile = gnupg.secrets."nginx/${domain}/${srv}/julm/PC/htpasswd".path;
      extraConfig = ''
        fancyindex on;
        fancyindex_name_length 255;
        fancyindex_exact_size off;
      '';
    };
  };
};
security.gnupg.secrets = {
  "nginx/${domain}/${srv}/julm/PC/htpasswd" = {
    # Generated with: echo "$user:$(openssl passwd -apr1)"
    systemdConfig.before = [ "nginx.service" ];
    systemdConfig.wantedBy = [ "nginx.service" ];
    user = nginx.user;
    group = nginx.group;
  };
};
}