{ domain, ... }:
{ lib, config, inputs, hostName, ... }:
let
  inherit (config.services) nginx;
  srv = "www";
  root = "/var/lib/nginx/${domain}";
in
{
  systemd.services.nginx.serviceConfig = {
    BindPaths = [
      "/home/julm/work/perso:${root}/julm"
    ];
    StateDirectory = [
      "nginx/${domain}/julm"
    ];
    LogsDirectory = lib.mkForce [
      "nginx/${domain}/${srv}"
    ];
    LoadCredentialEncrypted = [
      "${domain}.${srv}.julm.PC.htpasswd:${inputs.self}/hosts/${hostName}/nginx/${domain}/${srv}/julm/PC/htpasswd.cred"
    ];
  };
  services.nginx = {
    virtualHosts."${domain}.${srv}" = {
      serverAliases = [ domain ];
      forceSSL = true;
      useACMEHost = domain;
      root = "${root}/${srv}";
      extraConfig = ''
        access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
        error_log  /var/log/nginx/${domain}/${srv}/error.log warn;
      '';
      locations."/".extraConfig = ''
        #autoindex on;
        fancyindex on;
        fancyindex_name_length 255;
        fancyindex_exact_size off;
      '';
      locations."/julm/" = {
        alias = "${root}/julm/";
        extraConfig = ''
          autoindex off;
        '';
      };
      locations."/julm/PC/" = {
        alias = "${root}/julm/PC/";
        basicAuthFile = "/run/credentials/nginx.service/${domain}.${srv}.julm.PC.htpasswd";
        extraConfig = ''
          fancyindex on;
          fancyindex_name_length 255;
          fancyindex_exact_size off;
        '';
      };
    };
  };
}