{ pkgs, lib, config, ... }:
let
  domain = config.networking.domain;
  dataDir = "/var/www/${domain}";
  # Matrix well-known for homeserver and auth issuer discovery
  matrixClientConfig = {
    "m.homeserver".base_url = "https://matrix.cloonar.com";
    "org.matrix.msc2965.authentication" = {
      issuer = "https://matrix.cloonar.com/";
      account = "https://matrix.cloonar.com/account";
    };
  };
  matrixServerConfig."m.server" = "matrix.cloonar.com:443";
in {

  services.webstack.instances."${domain}" = {
    enablePhp = false;

    authorizedKeys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOXKR0AQdP1zn6pL2yjGA/eo9F5Ah2u6+Y5dIk8wR5/I"
    ];

    locations."/".extraConfig = ''
      index index.html;
    '';

    # Matrix well-known endpoints for server/client discovery
    locations."= /.well-known/matrix/server".extraConfig = ''
      default_type application/json;
      add_header Access-Control-Allow-Origin *;
      return 200 '${builtins.toJSON matrixServerConfig}';
    '';
    locations."= /.well-known/matrix/client".extraConfig = ''
      default_type application/json;
      add_header Access-Control-Allow-Origin *;
      return 200 '${builtins.toJSON matrixClientConfig}';
    '';

    locations."~* \.(jpe?g|png)$".extraConfig = ''
      set $img_format Z;

      # Check for AVIF support (highest priority)
      if ($http_accept ~* "avif") {
          set $img_format A;
      }

      if (-f $document_root/avif/$request_uri.avif) {
          set $img_format "''${img_format}V";
      }

      # Serve AVIF if supported and available
      if ($img_format = "AV") {
        add_header Vary Accept;
        expires 365d;
        add_header Pragma "public";
        add_header Cache-Control "public";
        rewrite ^ /avif/$request_uri.avif break;

      }

      # Reset and check for WebP support (fallback)
      set $img_format Z;

      if ($http_accept ~* "webp") {
          set $img_format W;
      }

      if (-f $document_root/webp/$request_uri.webp) {
          set $img_format "''${img_format}P";
      }

      # Serve WebP if supported and available
      if ($img_format = "WP") {
          add_header Vary Accept;
          expires 365d;
          add_header Pragma "public";
          add_header Cache-Control "public";
          rewrite ^ /webp/$request_uri.webp break;
      }

      # If neither AVIF nor WebP matched, serve original format
      add_header Vary Accept;
      expires 365d;
      add_header Pragma "public";
      add_header Cache-Control "public";
    '';

    locations."~* \.(js|jpg|gif|png|webp|avif|css|woff2)$".extraConfig = ''
      expires 365d;
      add_header Pragma "public";
      add_header Cache-Control "public";
    '';
  };
}