{ pkgs, config, users, lib, ... }:
let
  fqdn = "twtxt.${config.networking.fqdn}";
in
{
  users.groups = {
    twtxt = {};
  };
  environment.systemPackages = [
    pkgs.twtxt
  ];
  services.nginx = {
    enable = lib.mkDefault true;
    virtualHosts."${fqdn}" = {
      root = "/var/lib/twtxt";
      enableACME = config.security.acme.acceptTerms;
      forceSSL = config.security.acme.acceptTerms;
      locations = {
        "/" = {
          tryFiles = "/twtxt.txt =404"; # Read that path out loud three times fast.
        };
      };
    };
  };
  systemd.tmpfiles.rules = lib.mkIf config.services.syncthing.enable [
    "d '/var/lib/twtxt' 0774 ${config.services.nginx.user} twtxt"
    "Z '/var/lib/twtxt' 0774 ${config.services.nginx.user} twtxt"
  ];
}