{ pkgs, config, ... }:
{
  systemd.services.afvalcalendar = {
    description = "Enschede afvalcalendar -> ical converter";
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];

    script = ''
      ${pkgs.local.afvalcalendar}/bin/afvalcalendar > /srv/afvalcalendar/afvalcalendar.ical
    '';

    startAt = "daily";

    serviceConfig = {
      DynamicUser = true;
      ProtectHome = true; # Override the default (read-only)
      PrivateDevices = true;
      PrivateIPC = true;
      PrivateUsers = true;
      ProtectHostname = true;
      ProtectClock = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectKernelLogs = true;
      ProtectControlGroups = true;
      RestrictAddressFamilies = [
        "AF_UNIX"
        "AF_INET"
        "AF_INET6"
      ];
      RestrictNamespaces = true;
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
        "~@privileged @resources @setuid @keyring"
      ];

      Umask = 2;
      SupplementaryGroups = "afvalcalendar-hosting";

      ReadWritePaths = "/srv/afvalcalendar";
    };
  };

  services.nginx.virtualHosts."afvalcalendar.${config.services.nginx.domain}" = {
    forceSSL = true;
    useACMEHost = "tlater.net";
    enableHSTS = true;

    root = "/srv/afvalcalendar";
  };

  users.groups.afvalcalendar-hosting = { };
  systemd.tmpfiles.settings."10-afvalcalendar" = {
    "/srv/afvalcalendar".d = {
      user = "nginx";
      group = "afvalcalendar-hosting";
      mode = "0775";
    };

    "/srv/afvalcalendar/afvalcalendar.ical".f = {
      user = "nginx";
      group = "afvalcalendar-hosting";
      mode = "0775";
    };
  };
}