{ pkgs, ... }:

{
  services.nginx.virtualHosts = {
    "acme-next.hamburg.ccc.de" = {
      enableACME = true;
      serverName = "next.hamburg.ccc.de";

      listen = [
        {
          addr = "0.0.0.0";
          port = 31820;
        }
      ];
    };

    "next.hamburg.ccc.de" = {
      forceSSL = true;
      useACMEHost = "next.hamburg.ccc.de";

      listen = [
        {
          addr = "0.0.0.0";
          port = 8443;
          ssl = true;
          proxyProtocol = true;
        }
      ];

      root = "/var/www/next.hamburg.ccc.de/";

      extraConfig = ''
        # Make use of the ngx_http_realip_module to set the $remote_addr and
        # $remote_port to the client address and client port, when using proxy
        # protocol.
        # First set our proxy protocol proxy as trusted.
        set_real_ip_from 172.31.17.140;
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;
      '';
    };
  };

  users.users.ccchh-website-deploy = {
    isNormalUser = true;
    group = "ccchh-website-deploy";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILX847OMjYC+he1nbV37rrdCQVGINFY43CwLjZDM9iyb next.hamburg.ccc.de deployment key"
    ];
  };
  users.groups.ccchh-website-deploy = { };
}