{ pkgs, config, inputs, ... }:
let
  inherit (config) networking;
  inherit (config.services) nginx;
in
{
  imports = [
    (inputs.julm-nix + "/nixos/profiles/services/nginx.nix")
    nginx/autogeree.net.nix
    nginx/sourcephile.fr.nix
  ];
  users.groups."acme".members = [ nginx.user ];
  users.groups."keys".members = [ nginx.user ];
  networking.nftables.ruleset = ''
    table inet filter {
      chain input-net {
        tcp dport { 80, 443 } counter accept comment "HTTP(S)"
      }
    }
  '';
  services.nginx = {
    enable = true;
    package = pkgs.nginx.override {
      modules = with pkgs.nginxModules; [
        fancyindex
      ];
    };
    resolver = {
      addresses = [ "127.0.0.1:53" ];
      valid = "";
    };
    virtualHosts."_" = {
      forceSSL = true;
      useACMEHost = networking.domain;
    };
  };
  /*
    fileSystems."/var/lib/nginx" = {
    device = "rpool/var/lib/nginx";
    fsType = "zfs";
    };
  */
  services.sanoid.datasets."rpool/var/lib/nginx" = {
    use_template = [ "snap" ];
    daily = 7;
    recursive = true;
  };
}