{ config, pkgs, ... }:
{

  sops.secrets.ringPushover = {
    owner = config.services.webhook.user;
  };

  services.webhook = {
    enable = true;
    hooks = {
      ring = {
        execute-command =
          let
            script = pkgs.writers.writeBash "ring-script" ''
              . ${config.sops.secrets.ringPushover.path}
              ${pkgs.curl}/bin/curl -s \
                --form-string "token=$API_KEY" \
                --form-string "user=$USER_KEY" \
                --form-string "title=Klingeling" \
                --form-string "message=Jemand an der Tür" \
                https://api.pushover.net/1/messages.json
            '';
          in
          toString script;
        response-message = "It's ringing";
      };
    };
  };

  services.nginx.virtualHosts."ring.ingolf-wagner.de" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://localhost:${toString config.services.webhook.port}/${config.services.webhook.urlPrefix}/ring";
    };
  };
}