{ pkgs, lib, config, ... }:
let
  domain = "tandem.paraclub.cloonar.dev";
  dataDir = "/var/www/${domain}";
  user = builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in {
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    acmeRoot = null;
    root = "${dataDir}";

    locations."/favicon.ico".extraConfig = ''
      log_not_found off;
      access_log off;
    '';

    locations."/".extraConfig = ''
      index index.html;
      try_files $uri $uri/ /index.html$is_args$args;
    '';

    locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
     expires 365d;
     add_header Pragma "public";
     add_header Cache-Control "public";
    '';

    locations."~ [^/]\.php(/|$)".extraConfig = ''
      deny all;
    '';
  };
  users.users."${user}" = {
    isNormalUser = true;
    createHome = true;
    home = dataDir;
    homeMode= "770";
    #home = "/home/${domain}";
    group  = "nginx";
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDpezoJfaqSlQKhbzIRxQysmSmU5tih0SGFh4Eiy3YjfxiJSCRCuVTBCUmnhDCPsJZK+5xEDGarO8UfiqxZfxEyEL5d7IcRQJ/uRSFhYzByGbkziLM760KYqBzaE2Siu+zk625KOm6BN9qWGZdirejwf1Ay9EYmUdNiCMBBFLkPaQkZ8IEuMavf1wHEiZLas25eK7oJWHYKltcluH05QEF+5ODu88nlSpFlz2FjxJSbLDf7qeUba/L2OL124dTU5NIDNzwZLCKjpp8aTYzTaoox7KXUVRmy1X4Or61WhSxw9+LGyrAZLsW+l0a4FgY17V5HnF5/jf8eOpkuVdwtd29KCheJ4BdUfomV8vEt6S0hUP66VqJn6MliuL+10KM6TjLnjg0McPp1LPuSFRoLzO0YetTZzeVc0oBIr9Z3vjm6jt1dYcUtaydn/fc+FgoqpIOLz6EOGCz/CmyaV4rLk2BFKqtx5GP1wbP36hVkyWpREbEMILpFKDOyp21fC67mb0M="
    ];
  };
  users.groups.${user} = {};
}