{ ... }:
{
  systemd.tmpfiles.rules = [
    "f /run/agenix/nginx 0770 nginx nginx -"
  ];

  services = {
    hledger-web = {
      enable = true;
      host = "127.0.0.1";
      port = 7777;
      baseUrl = "https://ledger.bhankas.org";
      stateDir = "/var/lib/hledger";
      capabilities = {
        view = true;
        add = true;
        manage = true;
      };
      journalFiles = [
        ".hledger.journal"
      ];
      extraOptions = [
        "--forecast"
      ];
    };

    nginx = {
      enable = true;
      virtualHosts = {
        "ledger.bhankas.org" = {
          addSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:7777";
            proxyWebsockets = false;
            extraConfig =
              "proxy_set_header Host $host;\n"
              + "auth_basic \"Username and Password Required\";\n"
              + "auth_basic_user_file /run/agenix/nginx;"
            ;
          };
        };
      };
    };
  };

  security.acme = {
    acceptTerms = true;
    certs = {
      "ledger.bhankas.org" = {
        email = "admin@bhankas.org";
        dnsResolver = "1.1.1.1:53";
      };
    };
  };
}