{ inputs, secrets, config, pkgs, lib, ... }:

{

  dns.zones."ctu.cx".subdomains."things".CNAME = [ "${config.networking.fqdn}." ];

  age.secrets.resticCtucxThings.file = secrets."${config.networking.hostName}".restic.ctucxThings;

  restic-backups.ctucx-things = {
    user         = "ctucx-things";
    passwordFile = config.age.secrets.resticCtucxThings.path;
    paths        = [ "/var/lib/ctucx-things" ];
  };

  services.ctucx-things = {
    enable       = true;
    storagePath  = "/var/lib/ctucx-things";
    nginx.enable = true;
    nginx.domain = "things.ctu.cx";
  };

  services.nginx.virtualHosts."things.ctu.cx" = {
    useACMEHost = "${config.networking.fqdn}";
    forceSSL    = true;
    kTLS        = true;
  };

}