{ config, lib, pkgs, ... }:

with lib;
let
  sec = toString <secrets>;
  ssl_cert = "${sec}/wildcard.krebsco.de.crt";
  ssl_key  = "${sec}/wildcard.krebsco.de.key";
  hostname = config.krebs.build.host.name;
  user = config.services.nginx.user;
  group = config.services.nginx.group;
  external-ip = head config.krebs.build.host.nets.internet.addrs4;
  internal-ip = head config.krebs.build.host.nets.retiolum.addrs4;
  base-dir = "/var/www/blog.euer";
in {
  # Prepare Blog directory
  systemd.services.prepare-euer-blog = {
    wantedBy = [ "local-fs.target" ];
    before = [ "nginx.service" ];
    serviceConfig = {
      # do nothing if the base dir already exists
      ExecStart = pkgs.writeScript "prepare-euer-blog-service" ''
        #!/bin/sh
        if ! test -d "${base-dir}" ;then
          mkdir -p "${base-dir}"
          chown ${user}:${group} "${base-dir}"
          chmod 700 "${base-dir}"
        fi
      '';
      Type = "oneshot";
      RemainAfterExit = "yes";
      TimeoutSec = "0";
    };
  };

  krebs.nginx = {
    enable = mkDefault true;
    servers = {
      euer-blog = {
        listen = [ "${external-ip}:80" "${external-ip}:443 ssl"
                   "${internal-ip}:80" "${internal-ip}:443 ssl" ];
        server-names = [ "euer.krebsco.de" "blog.euer.krebsco.de" "blog.${hostname}" ];
        extraConfig = ''
          gzip on;
          gzip_buffers 4 32k;
          gzip_types  text/plain application/x-javascript text/css;
          ssl_certificate ${ssl_cert};
          ssl_certificate_key ${ssl_key};
          default_type text/plain;
        '';
        locations = singleton (nameValuePair "/" ''
          root ${base-dir};
        '');
      };
    };
  };
}