{ config, pkgs, ... }:

{
  nixpkgs.config.packageOverrides = pkgs: {
    imagemagick = pkgs.imagemagick.override {
      libwebp = pkgs.libwebp;
    };
  };

  environment.systemPackages = with pkgs; [
    imagemagick
    ghostscript
  ];

  systemd.services.nginx.serviceConfig.ProtectHome = "read-only";

  systemd.services.nginx_setup = {
    wantedBy = [ "multi-user.target" ];
    before = [ "nginx.service" ];
    script = ''
      mkdir -p /var/www
      chown nginx:nginx /var/www
      chmod 755 /var/www
    '';
    serviceConfig.Type = "oneshot";
  };

  services.nginx = {
    enable = true;

    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
  };
}