{ lib, config, ... }:
with lib;
let
  cfg = config.services.danilafe-blog;
  sslForSite = package: package.ssl;
  anySsl = any sslForSite cfg.sites;
  virtualHost = package:
    {
      virtualHosts."${package.host}" = mkMerge [
        {
          root = package;
        }
        (mkIf (sslForSite package) {
          addSSL = true;
          enableACME = true;
          acmeRoot = cfg.challengePath;
        })
      ];
    };
  service = package:
    {
      # Workaround for new configuration setting all of /var to be readonly.
      # See https://github.com/NixOS/nixpkgs/issues/139310
      "acme-${package.host}".serviceConfig = {
        ReadWritePaths = [ cfg.challengePath ];
      };
    };
  virtualHosts = map virtualHost cfg.sites;
  services = map service (filter sslForSite cfg.sites);
in
  {
    options.services.danilafe-blog = {
      enable = mkEnableOption "Daniel's blog service";
      sites = mkOption {
        type = types.listOf types.package;
        default = {};
        description = "List of versions of this blog that should be enabled.";
      };
      challengePath = mkOption {
        type = types.str;
        description = "The location for ACME challenges.";
      };
    };

    config.services.nginx = mkIf cfg.enable (mkMerge (virtualHosts ++ [
      {
        # Always enable nginx.
        enable = true;
        recommendedGzipSettings = true;
      }
    ]));
    config.systemd.services = mkIf cfg.enable (mkMerge services);
    config.security.acme = mkIf (cfg.enable && anySsl) {
      # If any site uses SSL, enable ACME and accept terms.
      defaults.email = "danila.fedorin@gmail.com";
      acceptTerms = true;
    };
  }