{ config, lib, pkgs, ... }:
let
  cfg = config.helpers.pelican;
in
{
  options.helpers.pelican = lib.mkOption {
    description = "Pelican SSG helper";
    default = {};
    type = with lib.types; attrsOf (submodule {
      options = {
        path = lib.mkOption {
          type = str;
        };
        # auth = lib.mkOption {
        #   type = bool;
        #   default = true;
        # };
      };
    });
  };
  config = {
    networking.hosts."127.0.0.1" = builtins.attrNames cfg;


  # lifted from https://nixos.wiki/wiki/Nginx#Authentication_via_PAM
  # also https://github.com/NixOS/nixpkgs/issues/117578
  # Have not tested to see which of these can be re-enabled. Not a fan of killing all that stuff just for pam.
  # Maybe copy /etc/shadow to /run/keys via colmena?
  # security.pam.services.nginx.setEnvironment = false;
  # systemd.services.nginx.serviceConfig = {
  #   SupplementaryGroups = [ "shadow" ];
  #   NoNewPrivileges = lib.mkForce false;
  #   PrivateDevices = lib.mkForce false;
  #   ProtectHostname = lib.mkForce false;
  #   ProtectKernelTunables = lib.mkForce false;
  #   ProtectKernelModules = lib.mkForce false;
  #   RestrictAddressFamilies = lib.mkForce [ ];
  #   LockPersonality = lib.mkForce false;
  #   MemoryDenyWriteExecute = lib.mkForce false;
  #   RestrictRealtime = lib.mkForce false;
  #   RestrictSUIDSGID = lib.mkForce false;
  #   SystemCallArchitectures = lib.mkForce "";
  #   ProtectClock = lib.mkForce false;
  #   ProtectKernelLogs = lib.mkForce false;
  #   RestrictNamespaces = lib.mkForce false;
  #   SystemCallFilter = lib.mkForce "";
  # };


    # services.nginx.virtualHosts."nfo".locations."/subdomain"
    services.nginx = {
      enable = lib.mkDefault true;
      additionalModules = [ pkgs.nginxModules.pam ];
      virtualHosts = lib.attrsets.mapAttrs (fqdn: name: {
        enableACME = config.security.acme.acceptTerms;
        forceSSL = config.security.acme.acceptTerms;
        locations."/" = {
          root = "${name.path}/output";
          # extraConfig = lib.mkIf name.localOnly ''
          #   allow 127.0.0.1;
          #   deny all;
          # '';
        };
        # extraConfig = lib.mkIf name.auth ''
        #   auth_pam  "Password Required";
        #   auth_pam_service_name "nginx";
        # '';
      }) cfg;
    };
    systemd.services = lib.attrsets.mapAttrs' (fqdn: name: lib.attrsets.nameValuePair "${fqdn}-reloader" {
        after = [ "networking.target" ];
        script = ''
                exec ${pkgs.python310Packages.pelican}/bin/pelican content
                exec systemd-tmpfiles --create
                exec systemctl restart nginx.service
        '';
        serviceConfig = {
          Type = "oneshot";
          WorkingDirectory = "${name.path}";
        };
      }) cfg;
    systemd.paths = lib.attrsets.mapAttrs' (fqdn: name: lib.attrsets.nameValuePair "${fqdn}-watcher" {
      wantedBy = [ "multi-user.target" ];
      pathConfig = {
        PathModified = "${name.path}/content";
        Unit = "${fqdn}-reloader.service";
        # TriggerLimitIntervalSec = "10s";
        # TriggerLimitBurst = 50;
      };
    }) cfg;
  };
}