{ config, pkgs, lib, ... }:

{
  users.users.www-kinealbrigtsen-no = {
    isSystemUser = true;
    group = "www-kinealbrigtsen-no";
  };

  users.groups.www-kinealbrigtsen-no = { };

  services.mysql.ensureDatabases = [
    "www_kinealbrigtsen_no"
  ];
  services.mysql.ensureUsers = [
    {
      name = "www-kinealbrigtsen-no";
      ensurePermissions = {
        # "www_kinealbrigtsen_no.*" = "ALL PRIVILEGES"; # For upgrades and special procedures
        "www_kinealbrigtsen_no.*" = "SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX";
      };
    }
  ];

  services.phpfpm.pools.www-kinealbrigtsen-no = {
    user = "www-kinealbrigtsen-no";
    group = "www-kinealbrigtsen-no";
    phpOptions = lib.generators.toKeyValue {} {
      upload_max_filesize = "1000M";
      post_max_size = "1000M";
      memory_limit = "1000M";
    };

    settings = {
      "listen.owner" = config.services.nginx.user;
      "listen.group" = config.services.nginx.group;
      "pm" = "dynamic";
      "pm.max_children" = 32;
      "pm.start_servers" = 2;
      "pm.min_spare_servers" = 2;
      "pm.max_spare_servers" = 4;
      "pm.process_idle_timeout" = "10s";
      "pm.max_requests" = 1000;
    };
  };

  services.nginx.virtualHosts."kinealbrigtsen.no" = {
    serverAliases = [ "www.kinealbrigtsen.no" ];
    root = "/var/www/www-kinealbrigtsen-no";
    locations = {
      "/".extraConfig = ''
        try_files $uri $uri/ /index.php?$args;
      '';

      "~ \\.php$".extraConfig = ''
        include ${config.services.nginx.package}/conf/fastcgi_params;

        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass unix:${config.services.phpfpm.pools.www-kinealbrigtsen-no.socket};
      '';

      "~ /\\.ht".extraConfig = ''
        deny all;
      '';

      "/favicon.ico".extraConfig = ''
        log_not_found off;
        access_log off;
      '';

      "/robots.txt".extraConfig = ''
        allow all;
        log_not_found off;
        access_log off;
      '';

      "~* \\.(js|css|png|jpg|jpeg|gif|ico)$".extraConfig =  ''
        expires max;
        log_not_found off;
      '';
    };
    extraConfig = ''
      index index.php index.html;
      set_real_ip_from 192.168.11.0/24;
      real_ip_header X-Forwarded-For;

      add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
      add_header 'Referrer-Policy' 'origin-when-cross-origin';
      add_header X-Frame-Options DENY;
      add_header X-Content-Type-Options nosniff;
    '';
  };

  # TODO:
  # - Configure a mailer so wp_mail() works
  # - Enable periodic backups
}