{ lib, hostName, ... }:
let
  domain = "sourcephile.fr";
  nginxRoot = "/var/lib/nginx/${domain}/sftp";
  sftpRoot = "/var/lib/sftp";
  sftpUsers = [
    "julm"
    "sevy"
  ];
in
{
  fileSystems.${sftpRoot} = {
    device = "${hostName}/var/sftp";
    fsType = "zfs";
  };
  services.sanoid.datasets."${hostName}/var/sftp" = {
    use_template = [ "snap" ];
    daily = 31;
  };
  /*
    services.syncoid.commands = {
    "${hostName}/var/sftp" = {
    sendOptions = "raw";
    target = "backup@mermet.${networking.domain}:rpool/backup/${hostName}/var/sftp";
    };
    };
  */
  services.nginx.virtualHosts =
    let
      indexConfig = ''
        autoindex on;
        fancyindex on;
        fancyindex_exact_size off;
        fancyindex_name_length 255;
        open_file_cache off;
        #open_file_cache_valid 1s;
      '';
      virtualHost = {
        root = nginxRoot;
        locations = lib.listToAttrs
          (map
            (user:
              lib.nameValuePair "/${user}/" {
                extraConfig = ''
                  location /${user}/public/ {
                    ${indexConfig}
                  }
                  location /${user}/perso/ {
                    ${indexConfig}
                    auth_basic secured;
                    auth_basic_user_file ${sftpRoot}/${user}/perso.htpasswd;
                  }
                '';
              }
            )
            sftpUsers) // {
          "/".extraConfig = ''
            return 403;
          '';
        };
      };
    in
    {
      "sftp.${hostName}.sp" = lib.mkMerge [
        virtualHost
        {
          listenAddresses = [ "${hostName}.sp" ];
          extraConfig = ''
            access_log /var/log/nginx/wg-intra/${hostName}/sftp/access.json json buffer=32k;
            error_log  /var/log/nginx/wg-intra/${hostName}/sftp/error.log warn;
          '';
        }
      ];
      "sftp.${domain}" = lib.mkMerge [
        virtualHost
        {
          forceSSL = true;
          useACMEHost = domain;
          extraConfig = ''
            access_log /var/log/nginx/${domain}/${hostName}/sftp/access.json json buffer=32k;
            error_log  /var/log/nginx/${domain}/${hostName}/sftp/error.log warn;
          '';
        }
      ];
    };
  systemd.services.nginx = {
    serviceConfig = {
      LogsDirectory = lib.mkForce [
        "nginx/wg-intra/${hostName}/sftp"
        "nginx/${domain}/${hostName}/sftp"
      ];
      BindReadOnlyPaths = lib.concatMap
        (user: [
          "${sftpRoot}/${user}/public:${nginxRoot}/${user}/public"
          "${sftpRoot}/${user}/perso:${nginxRoot}/${user}/perso"
        ])
        sftpUsers;
    };
  };
  fileSystems."${sftpRoot}/torrents" = {
    device = "/var/lib/transmission/downloaded";
    options = [ "bind" "ro" ];
  };
  fileSystems."${sftpRoot}/podcasts" = {
    device = "/home/julm/dl";
    options = [ "bind" "ro" ];
  };
  services.openssh.extraConfig = ''
    Match User sevy
      AllowAgentForwarding no
      AllowTcpForwarding no
      ChrootDirectory ${sftpRoot}
      ForceCommand internal-sftp -u 0002
      X11Forwarding no
  '';
}