{ pkgs, lib, config, ... }:
let
  domain = "ebs-mobile.cloonar.dev";
  dataDir = "/var/www/${domain}";
in {
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    # Use HTTP-01 challenge for Let's Encrypt
    acmeRoot = lib.mkForce "/var/lib/acme/acme-challenge";
    root = "${dataDir}";

    locations."/favicon.ico".extraConfig = ''
      log_not_found off;
      access_log off;
    '';

    # React client-side routing support
    locations."/".extraConfig = ''
      index index.html;
      try_files $uri $uri/ /index.html$is_args$args;
    '';

    # Cache static assets
    locations."~* \\.(js|jpg|gif|png|webp|css|woff2|svg|ico)$".extraConfig = ''
      expires 365d;
      add_header Pragma "public";
      add_header Cache-Control "public";
    '';

    # Deny PHP execution
    locations."~ [^/]\\.php(/|$)".extraConfig = ''
      deny all;
    '';
  };

  users.users."${domain}" = {
    isNormalUser = true;
    createHome = true;
    home = dataDir;
    homeMode = "770";
    group = "nginx";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIErjoADQK5SJ5si/iezzwQn5xH1RkgnTIlbeE4BRU1FN"
    ];
  };

  users.groups.${domain} = {};
}