{
  inputs,
  constants,
  config,
  ...
}:

let
  cfg = config.services.nginx;

  inherit (constants) domain;
in
{
  imports = [
    inputs.synix.nixosModules.nginx
  ];

  systemd.tmpfiles.rules = [
    "d /var/www 0755 gitea-runner ${cfg.group} -"
  ];

  systemd.services.gitea-runner-default.serviceConfig = {
    ReadWritePaths = [ "/var/www" ];
  };

  services.nginx = {
    enable = true;
    openFirewall = false;
    forceSSL = false;

    virtualHosts = {
      "${constants.services.docs.fqdn}" = {
        locations."/" = {
          root = "/var/www/doc";
        };
      };
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "admin@${domain}";
      dnsProvider = "hetzner";
      credentialFiles = {
        HETZNER_API_TOKEN_FILE = config.sops.secrets.hetzner-api-key.path;
      };
    };
  };

  sops.secrets.hetzner-api-key = {
    mode = "0400";
    owner = "acme";
    group = "acme";
  };
}