{ config, lib, ... }:
{
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    clientMaxBodySize = "10G";

    statusPage = true; # For metrics, should be accessible only from localhost

    commonHttpConfig = ''
      log_format upstream_time '$remote_addr - $remote_user [$time_local] '
                         '"$request" $status $body_bytes_sent '
                         '"$http_referer" "$http_user_agent" '
                         'rt=$request_time uct="$upstream_connect_time" '
                         'uht="$upstream_header_time" urt="$upstream_response_time"';
    '';
  };

  services.logrotate.settings =
    {
      # Override the default, just keep fewer logs
      nginx.rotate = 6;
    }
    // lib.mapAttrs' (
      virtualHost: _:
      lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" {
        frequency = "daily";
        rotate = 2;
        compress = true;
        delaycompress = true;
        su = "${config.services.nginx.user} ${config.services.nginx.group}";
        postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`";
      }
    ) config.services.nginx.virtualHosts;

  systemd.tmpfiles.rules = lib.mapAttrsToList (
    virtualHost: _:
    #
    "d /var/log/nginx/${virtualHost} 0750 ${config.services.nginx.user} ${config.services.nginx.group}"
  ) config.services.nginx.virtualHosts;

  security.acme = {
    defaults.email = "tm@tlater.net";
    acceptTerms = true;

    certs."tlater.net" = {
      extraDomainNames = [
        "*.tlater.net"
        "tlater.com"
        "*.tlater.com"
      ];
      dnsProvider = "porkbun";
      group = "nginx";
      credentialFiles = {
        PORKBUN_API_KEY_FILE = config.sops.secrets."porkbun/api-key".path;
        PORKBUN_SECRET_API_KEY_FILE = config.sops.secrets."porkbun/secret-api-key".path;
      };
    };
  };

  services.backups.acme = {
    user = "acme";
    paths = lib.mapAttrsToList (
      virtualHost: _: "/var/lib/acme/${virtualHost}"
    ) config.services.nginx.virtualHosts;
  };
}