{ config, lib, pkgs, ... }:
let
  filter-file = ./filter.yml;
  pkg = with pkgs.python3Packages;buildPythonPackage rec {
    version = "d16ce227dc68c9f60f6dd06e6835bab7cdfdf61b";
    pname = "ebk-notify";
    propagatedBuildInputs = [
      docopt
      pyyaml
      requests
      beautifulsoup4
      dateutil
      feedgen
    ];
    src = pkgs.fetchgit {
      url = "http://cgit.euer.krebsco.de/ebk-notify";
      rev = version;
      sha256 = "15dlhp17alm01fw7mzdyh2z9zwz8psrs489lxs3hgg1p5wa0kzsp";
    };
  };
  domain = "feed.euer.krebsco.de";
  path = "/var/www/feed.euer.krebsco.de";
in
{
  systemd.tmpfiles.rules = [
    "d ${path} nginx nogroup - -"
  ];
  krebs.secret.files.ebknotify = {
    path = "/etc/ebk-notify.yml";
    owner.name = "nginx";
    source-path = "${<secrets/ebk-notify.yml>}";
  };
  systemd.services.ebk-notify = {
    startAt = "*:0/10";
    serviceConfig = {
      User = "nginx"; # TODO better permission setting
      # PrivateTmp = true;
      ExecStart = "${pkg}/bin/ebk-notify --atom --outdir ${path} --config /etc/ebk-notify.yml --cache /tmp/ebk-cache.json --filter ${filter-file} --wait 30";
    };
  };
  systemd.timers.ebk-notify.timerConfig.RandomizedDelaySec = "120";
  services.nginx = {
    virtualHosts."${domain}" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        root = path;
        index = "root.atom";
      };
    };
  };
}