{ pkgs, ... }:

{
  services.nginx.virtualHosts = {
    "acme-hamburg.ccc.de" = {
      enableACME = true;
      serverName = "hamburg.ccc.de";

      listen = [
        {
          addr = "0.0.0.0";
          port = 31820;
        }
      ];
    };

    "hamburg.ccc.de" = {
      forceSSL = true;
      useACMEHost = "hamburg.ccc.de";

      listen = [
        {
          addr = "0.0.0.0";
          port = 8443;
          ssl = true;
          proxyProtocol = true;
        }
      ];

      root = "/var/www/hamburg.ccc.de/";

      # Redirect the old spaceapi endpoint to the new one.
      locations."/dooris/status.json" = {
        return = "302 https://spaceapi.hamburg.ccc.de/";
      };

    locations."/.well-known/matrix/server" = {
      return = "200 '{\"m.server\": \"matrix.hamburg.ccc.de:443\"}'";
      extraConfig = ''
        add_header Content-Type application/json;
      '';
    };
    locations."/.well-known/matrix/client" = {
      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.hamburg.ccc.de\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'";
      extraConfig = ''
        default_type application/json;
        add_header Access-Control-Allow-Origin *;
      '';
    };
      # Redirect pages starting with 4 digits for redirecting the old blog
      # article URLs.
      # We want to redirect /yyyy/mm/dd/slug to /blog/yyyy/mm/dd/slug, but we
      # just match the first 4 digits for simplicity.
      locations."~ \"^/[\\d]{4}\"" = {
        return = "302 https://$host/blog$request_uri";
      };

      # Redirect pages, which previously lived on the old website, to their
      # successors in the wiki.
      locations."/club/satzung" = {
        return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:satzung";
      };
      locations."/club/hausordnung" = {
        return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:hausordnung";
      };
      locations."/club/vertrauenspersonen" = {
        return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:vertrauenspersonen";
      };
      locations."/club/beitragsordnung" = {
        return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:beitragsordnung";
      };
      locations."/club/mitgliedschaft" = {
        return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:foemi-formular";
      };
      locations."/club/geschichte" = {
        return = "302 https://wiki.hamburg.ccc.de/club:geschichte";
      };

      # Redirect old feed location.
      locations."/feed.xml" = {
        return = "302 https://$host/blog/index.xml";
      };

      extraConfig = ''
        # Make use of the ngx_http_realip_module to set the $remote_addr and
        # $remote_port to the client address and client port, when using proxy
        # protocol.
        # First set our proxy protocol proxy as trusted.
        set_real_ip_from 172.31.17.140;
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;

        error_page 404 /404.html;
      '';
    };
  };

  users.users.ccchh-website-deploy = {
    isNormalUser = true;
    group = "ccchh-website-deploy";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILX847OMjYC+he1nbV37rrdCQVGINFY43CwLjZDM9iyb ccchh website deployment key"
    ];
  };
  users.groups.ccchh-website-deploy = { };
}