{ pkgs, lib, config, ... }:
let
  galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
  transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
in {
  users.users.${config.services.pvv-nettsiden.user} = {
    useDefaultShell = true;

    # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
    openssh.authorizedKeys.keys = [
    ''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
    ];
  };

  systemd.paths.pvv-nettsiden-gallery-update = {
    wantedBy = [ "multi-user.target" ];
    pathConfig = {
      PathChanged = "${transferDir}/gallery.tar.gz";
      Unit = "pvv-nettsiden-gallery-update.service";
      MakeDirectory = true;
    };
  };

  systemd.services.pvv-nettsiden-gallery-update = {
    path = with pkgs; [ imagemagick gnutar gzip ];

    script = ''
      tar ${lib.cli.toGNUCommandLineShell {} {
        extract = true;
        file = "${transferDir}/gallery.tar.gz";
        directory = ".";
      }}

      # Delete files and directories that exists in the gallery that don't exist in the tarball
      filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
      while IFS= read fname; do
        rm -f "$fname" ||:
        rm -f ".thumbnails/$fname.png" ||:
      done <<< "$filesToRemove"

      find . -type d -empty -delete

      mkdir -p .thumbnails
      images=$(find . -type f -not -path "./.thumbnails*")

      while IFS= read fname; do
        # Skip this file if an up-to-date thumbnail already exists
        if [ -f ".thumbnails/$fname.png" ] && \
          [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
        then
          continue
        fi

        echo "Creating thumbnail for $fname"
        mkdir -p $(dirname ".thumbnails/$fname")
        convert -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
        touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
      done <<< "$images"
    '';

    serviceConfig = {
      WorkingDirectory = galleryDir;
      User = config.services.pvv-nettsiden.user;
      Group = config.services.pvv-nettsiden.group;

      AmbientCapabilities = [ "" ];
      CapabilityBoundingSet = [ "" ];
      DeviceAllow = [ "" ];
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true; # disable for third party rotate scripts
      PrivateDevices = true;
      PrivateNetwork = true; # disable for mail delivery
      PrivateTmp = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true; # disable for userdir logs
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ProtectSystem = "full";
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true; # disable for creating setgid directories
      SocketBindDeny = [ "any" ];
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
      ];
    };
  };
}