{
  config,
  lib,
  pkgs,
  ...
}: {
  environment = {
    systemPackages = with pkgs; [
      goaccess
    ];
    persistence."/persist" = {
      directories = [
        "/var/www/goaccess"
      ];
    };
  };

  services = {
    nginx = {
      virtualHosts = {
        "goaccess.szczepan.ski" = {
          forceSSL = true;
          enableACME = true;
          basicAuthFile = config.sops.secrets.goaccess-htpasswd.path;
          locations = {
            "/" = {root = "/var/www/goaccess";};
            "/ws" = {
              proxyPass = "http://127.0.0.1:7890/";
              proxyWebsockets = true;
            };
          };
        };
      };
    };
  };

  systemd = {
    tmpfiles.settings = {
      "goaccess" = {
        "/var/www/goaccess" = {d.mode = "0755";};
      };
    };

    services = {
      # Limit stack size to reduce memory usage
      fail2ban.serviceConfig.LimitSTACK = 256 * 1024;

      goaccess = {
        description = "GoAccess real-time web log analysis";
        after = ["network.target"];
        wantedBy = ["multi-user.target"];
        script = "${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.* | ${pkgs.goaccess}/bin/goaccess - -o /var/www/goaccess/index.html --log-format='%v %h %^[%d:%t %^]%^\"%r\" %s %b \"%R\" \"%u\"' --real-time-html --ws-url=wss://goaccess.szczepan.ski:443/ws --port 7890 --time-format \"%H:%M:%S\" --date-format \"%d/%b/%Y\"";
        # serviceConfig = {
        #   StateDirectory = "/var/www/goaccess";
        #   # ExecStart = "${pkgs.bash}/bin/bash -c "${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.* | ${pkgs.goaccess}/bin/goaccess -o /var/www/goaccess/index.html --log-format='%v %h %^[%d:%t %^]%^\"%r\" %s %b \"%R\" \"%u\"' --real-time-html --ws-url=wss://goaccess.szczepan.ski:443/ws --port 7890 --time-format \"%H:%M:%S\" --date-format \"%d/%b/%Y\"'";
        #   # ExecStop = "/bin/kill -9 ${MAINPID}";
        # };
      };
    };
  };
}