{ config, pkgs, ... }:
{
  virtualisation = {
    docker.enable = true;
  };

  users.users.scana11y_com.extraGroups = [ "docker" ];

  systemd.services."scana11y-wohnservice-wien.at" = {
    description = "ScanA11y wohnservice-wien.at";
    wants = [ "docker.service" ];
    after = [ "docker.service" "network-online.target" ];
    serviceConfig = {
      Type = "oneshot";
      User = "scana11y_com";
    };

    path = [ pkgs.docker pkgs.wkhtmltopdf ];

    script = ''
      exec ${pkgs.sa-core}/bin/sa-core scan \
        -domain=wohnservice-wien.at \
        -depth=3 \
        -max-pages=100 \
        -image=cloonar/sa-core:v0.1.3 \
        -output=/var/www/scana11y.com/reports \
        -wkhtmltopdf=${pkgs.wkhtmltopdf}/bin/wkhtmltopdf \
        -email-server=imap.cloonar.com \
        -email-username=office@scana11y.com \
        -email-password-file=${config.sops.secrets.sa-core-mailpw.path} \
        -email-sender=office@scana11y.com \
        -email-recipient=dominik.polakovics@cloonar.com \
        -keep 6 \
        -webroot=https://scana11y.com/reports
    '';
  };

  systemd.timers."scana11y-wohnservice-wien.at" = {
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnCalendar = "monthly";
      Persistent = true;
      RandomizedDelaySec = "1h"; # spread load a bit
    };
  };

  sops.secrets.sa-core-mailpw.owner = "scana11y_com";     # written as root at activation
}