{ config, pkgs, lib, ... }:

let
  galleryConfig = {
    globalSection = {
      SourceDir  = "/mnt/photos.ctu.cx";
      TargetDir  = "/var/lib/ctucx-gallery";
      MogrifyCmd = "${pkgs.imagemagick}/bin/mogrify";
    };

    sections = {
      Thumbnails = {
        SmallHeight  = "200";
        SmallQuality = "90";
      };

      Site = {
        Author              = "ctucx";
        Name                = "ctucx.photos";
        Description         = "photos that i made";
        Tags                = "ctucx, ctucx bahnbilder";
        ShowOriginalsButton = "true";
        SymlinkOriginals    = "true";
        EnableJS            = "true";
      };
    };
  };

  galleryConfigFile = pkgs.writeText "gallery.ini" (lib.generators.toINIWithGlobalSection {} galleryConfig);

in {

  dns.zones."ctu.cx".subdomains.photos.CNAME = [ "${config.networking.fqdn}." ];

  fileSystems."/mnt/photos.ctu.cx" = {
    device = "/home/katja/syncthing/Pictures/photos.ctu.cx";
    options = [ "bind" "ro" ];
  };

  users = {
    users."ctucx-gallery" = {
      home = "/var/lib/ctucx-gallery";
      group = "ctucx-gallery";
      isSystemUser = true;
    };
    groups."ctucx-gallery" = {};
  };


  systemd.services.ctucx-gallery = {
    startAt  = "*-*-* *:0/10:00";
    wantedBy = [ "multi-user.target" ];
    requires = [ "local-fs.target" ];
    path     = [ pkgs.imagemagick ];

    serviceConfig = {
      Type           = "oneshot";
#      DynamicUser    = true;

      ExecStart      = "${pkgs.ctucx-gallery}/bin/gallery ${galleryConfigFile}";

      User  = "ctucx-gallery";
      Group = "ctucx-gallery";


      StateDirectory          = "ctucx-gallery";
      StateDirectoryMode      = "755";

      NoNewPrivileges         = true;
      PrivateTmp              = true;
      PrivateDevices          = true;

      RestrictAddressFamilies = "AF_INET AF_INET6";
      RestrictNamespaces      = true;
      RestrictRealtime        = true;

      ProtectSystem           = "full";
      ProtectControlGroups    = true;
      ProtectKernelModules    = true;
      ProtectKernelTunables   = true;

      DevicePolicy            = "closed";
      LockPersonality         = true;
    };
  };

  services.nginx = {
    enable = true;
    virtualHosts."photos.ctu.cx" = {
      useACMEHost = "${config.networking.fqdn}";
      forceSSL    = true;
      kTLS        = true;
      root        = "/var/lib/ctucx-gallery";
      locations."~* \.html$".extraConfig = ''
        add_header Last-Modified $date_gmt;
        add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
        if_modified_since off;
        expires off;
        etag off;
      '';
    };
  };

}