{ config, lib, pkgs, ... }:
let
  domain = "schulischer-schabernack.de";
in
{
  services.nginx = {
    commonHttpConfig = ''
      # privacy-aware log format
      log_format schabernack '$remote_addr_schabernack - - [$time_local] "$request" $status $body_bytes_sent "-" "$http_user_agent"';

      # anonymise ip address
      map $remote_addr $remote_addr_schabernack {
        ~(?P<ip>\d+\.\d+)\.     $ip.0.0;
        ~(?P<ip>[^:]+:[^:]+):   $ip::;
        default                 0.0.0.0;
      }
    '';

    virtualHosts = {
      ${domain} = {
        forceSSL = true;
        enableACME = true;

        root = "/var/www/schabernack/production";

        # only log page views, rss feed access, media file download and embed views
        extraConfig = ''
          location ~ index\.html|rss\.xml|\.(opus|m4a|ogg|mp3|\.podlove.json)$ {
            access_log /var/log/nginx/schabernack.log schabernack;
          }
        '';
      };
      "www.${domain}" = {
        forceSSL = true;
        enableACME = true;
        globalRedirect = domain;

        extraConfig = ''
          access_log off;
        '';
      };
      "staging.${domain}" = {
        forceSSL = true;
        enableACME = true;

        root = "/var/www/schabernack/staging";

        extraConfig = ''
          access_log off;
        '';
      };
    };
  };

  systemd.tmpfiles.rules = [
    "d /var/www/schabernack/production 0755 schabernack root -"
    "d /var/www/schabernack/staging 0755 schabernack root -"
  ];

  users = {
    users.schabernack = {
      isSystemUser = true;
      group = "schabernack";
      shell = "/bin/sh";

      openssh.authorizedKeys.keys = map
        (key: "command=\"${pkgs.rrsync}/bin/rrsync -wo /var/www/schabernack/\",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ${key}")
        config.sbruder.pubkeys.trustedKeys;
    };
    groups.schabernack = { };
  };
}