{ ... }:

let
  domain = "cpu.ccc.de";
  dataDir = "/var/www/${domain}";
  deployUser = "cpuccc-website-deploy";
in
{
  security.acme.certs."cpu.ccc.de".extraDomainNames = [
    "cpuccc.hamburg.ccc.de"
    "lokal.ccc.de"
    "local.ccc.de"
  ];

  services.nginx.virtualHosts = {
    "acme-${domain}" = {
      enableACME = true;
      serverName = "${domain}";

      listen = [
        {
          addr = "0.0.0.0";
          port = 31820;
        }
      ];
    };

    # https://git.hamburg.ccc.de/CCCHH/cpu.ccc.de/src/branch/main/nginx.conf
    "${domain}" = {
      forceSSL = true;
      useACMEHost = "${domain}";

      listen = [
        {
          addr = "0.0.0.0";
          port = 8443;
          ssl = true;
          proxyProtocol = true;
        }
      ];

      root = "${dataDir}";

      extraConfig = ''
        index index.html;
        default_type text/plain;

        # Make use of the ngx_http_realip_module to set the $remote_addr and
        # $remote_port to the client address and client port, when using proxy
        # protocol.
        # First set our proxy protocol proxy as trusted.
        set_real_ip_from 172.31.17.140;
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;

        port_in_redirect off;
      '';

      locations."/" = {
        tryFiles = "$uri $uri/ =404";

        extraConfig = ''
          location /feed/ {
            default_type application/rss+xml;
            types {
              text/xml application/rss+xml;
            }
          }

          location /rss {
            default_type application/rss+xml;
          }
        '';
      };
    };

    "cpuccc.hamburg.ccc.de" = {
      forceSSL = true;
      useACMEHost = "cpu.ccc.de";
      serverAliases = [
        "lokal.ccc.de"
        "local.ccc.de"
      ];

      listen = [{
        addr = "0.0.0.0";
        port = 8443;
        ssl = true;
        proxyProtocol = true;
      }];

      locations."/".return = "302 https://cpu.ccc.de";

      extraConfig = ''
        # Make use of the ngx_http_realip_module to set the $remote_addr and
        # $remote_port to the client address and client port, when using proxy
        # protocol.
        # First set our proxy protocol proxy as trusted.
        set_real_ip_from 172.31.17.140;
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;
      '';
    };
  };

  systemd.tmpfiles.rules = [
    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
  ];

  users.users."${deployUser}" = {
    isNormalUser = true;
    group = "${deployUser}";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOnO7g/7mVVKnvkszto8m3nPljO/6qQc/34aEbrhKOvn deploy key for cpu.ccc.de"
    ];
  };
  users.groups."${deployUser}" = { };
}