{ ... }:

let
  domain = "diday.org";
  dataDir = "/var/www/${domain}";
  deployUser = "diday-website-deploy";
in
{
  security.acme.certs."${domain}".extraDomainNames = [
    "did.hamburg.ccc.de"
  ];

  services.nginx.virtualHosts = {
    "acme-${domain}" = {
      enableACME = true;
      serverName = "${domain}";

      listen = [
        {
          addr = "0.0.0.0";
          port = 31820;
        }
      ];
    };

    "did.hamburg.ccc.de" = {
      forceSSL = true;
      useACMEHost = "${domain}";

      listen = [
        {
          addr = "0.0.0.0";
          port = 8443;
          ssl = true;
          proxyProtocol = true;
        }
      ];

      basicAuth = {
        "preview" = "liebe";
      };

      extraConfig = ''
        return 301 https://diday.org;
      '';
    };

    "${domain}" = {
      forceSSL = true;
      useACMEHost = "${domain}";

      listen = [
        {
          addr = "0.0.0.0";
          port = 8443;
          ssl = true;
          proxyProtocol = true;
        }
      ];

      basicAuth = {
        "preview" = "liebe";
      };

      root = "${dataDir}";

      extraConfig = ''
        # Make use of the ngx_http_realip_module to set the $remote_addr and
        # $remote_port to the client address and client port, when using proxy
        # protocol.
        # First set our proxy protocol proxy as trusted.
        set_real_ip_from 172.31.17.140;
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;

        error_page 404 /404.html;

        port_in_redirect off;

        index index.html;

        add_header Referrer-Policy "strict-origin-when-cross-origin" always;

        # return a redirect based on the map loaded from the webroot
        if ($did_redirect_target ~ ^301:(.*)$) {
          return 301 $1;
        }
        if ($did_redirect_target ~ ^302:(.*)$) {
          return 302 $1;
        }

        # deny access to the redirects config file
        location = /nginx-redirects.conf {
          deny all;
          return 404;
        }

        # dynamically redirect the user to the language they prefer
        location = / {
          set $lang "de";
          if ($http_accept_language ~* "^en") {
            set $lang "en";
          }
          return 302 /$lang/;
        }

        # configure decap-cms content-type and caching rules
        location = /admin/cms.js {
          expires -1;
          add_header Cache-Control "no-store";
        }
        location = /admin/config.yml {
          expires -1;
          add_header Cache-Control "no-store";
          types { }
          default_type text/yaml;
        }

        # configure asset caching
        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
            expires 1y;
            add_header Cache-Control "public, immutable";
        }

        # we are using the Astro Image Pipeline, therefore DecapCMS can't access image previews
        location /admin/src/ {
            log_not_found off;
            return 404;
        }

        location / {
          try_files $uri $uri/ =404;
        }
      '';
    };
  };

  systemd.tmpfiles.rules = [
    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
  ];

  users.users."${deployUser}" = {
    isNormalUser = true;
    group = "${deployUser}";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBitESG5AvHnHLPo+kdsV5l+wzSTqCltkk0IFAWGqBcl codeberg-actions-runner"
    ];
  };
  users.groups."${deployUser}" = { };
}