{ pkgs, config, inputs, hostName, ... }:
let
  inherit (config) networking;
  inherit (config.services) nginx;
in
{
  imports = [
    (inputs.julm-nix + "/nixos/profiles/services/nginx.nix")
    nginx/sourcephile.fr.nix
  ];
  users.groups."acme".members = [ nginx.user ];
  users.groups."keys".members = [ nginx.user ];
  users.groups."transmission".members = [ nginx.user ];
  networking.nftables.ruleset = ''
    table inet filter {
      chain input-net {
        tcp dport { http, https } counter accept comment "HTTP(S)"
      }
    }
  '';
  fileSystems."/var/lib/nginx" = {
    device = "${hostName}/var/www";
    fsType = "zfs";
  };
  services.upnpc.enable = true;
  services.upnpc.redirections = [
    {
      description = "HTTP";
      externalPort = 80;
      protocol = "TCP";
      duration = 30 * 60;
      service.wantedBy = [ "nginx.service" ];
      service.partOf = [ "nginx.service" ];
    }
    {
      description = "HTTPS";
      externalPort = 443;
      protocol = "TCP";
      duration = 30 * 60;
      service.wantedBy = [ "nginx.service" ];
      service.partOf = [ "nginx.service" ];
    }
  ];
  services.nginx = {
    enable = true;
    package = pkgs.nginx.override {
      modules = with pkgs.nginxModules; [
        fancyindex
      ];
    };
    resolver = {
      addresses = [ "127.0.0.1:53" ];
      valid = "";
    };
    virtualHosts."_" = {
      default = true;
      extraConfig = ''
        # Connection closed without response
        return 444;
      '';
      forceSSL = true;
      useACMEHost = networking.domain;
    };
  };
}