{ apacheUser, apacheGroup, aten, lib, config }: rec {
  app = aten.override { inherit (config) environment; };
  phpFpm = rec {
    preStart = ''
      if [ ! -f "${app.varDir}/currentWebappDir" -o \
          ! -f "${app.varDir}/currentKey" -o \
          "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \
          || ! sha512sum -c --status ${app.varDir}/currentKey; then
        pushd ${app} > /dev/null
        /run/wrappers/bin/sudo -u ${apacheUser} APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup
        popd > /dev/null
        echo -n "${app}" > ${app.varDir}/currentWebappDir
        sha512sum /var/secrets/webapps/${app.environment}-aten > ${app.varDir}/currentKey
      fi
      '';
    serviceDeps = [ "postgresql.service" ];
    socket = "/var/run/phpfpm/aten-${app.environment}.sock";
    pool = ''
      listen = ${socket}
      user = ${apacheUser}
      group = ${apacheGroup}
      listen.owner = ${apacheUser}
      listen.group = ${apacheGroup}
      php_admin_value[upload_max_filesize] = 20M
      php_admin_value[post_max_size] = 20M
      ;php_admin_flag[log_errors] = on
      php_admin_value[open_basedir] = "${app}:${app.varDir}:/tmp"
      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
      ${if app.environment == "dev" then ''
      pm = ondemand
      pm.max_children = 5
      pm.process_idle_timeout = 60
      env[SYMFONY_DEBUG_MODE] = "yes"
      '' else ''
      pm = dynamic
      pm.max_children = 20
      pm.start_servers = 2
      pm.min_spare_servers = 1
      pm.max_spare_servers = 3
      ''}'';
  };
  keys = [{
    dest = "webapps/${app.environment}-aten";
    user = apacheUser;
    group = apacheGroup;
    permissions = "0400";
    text = ''
      SetEnv APP_ENV      "${app.environment}"
      SetEnv APP_SECRET   "${config.secret}"
      SetEnv DATABASE_URL "${config.psql_url}"
      '';
  }];
  apache = rec {
    modules = [ "proxy_fcgi" ];
    webappName = "aten_${app.environment}";
    root = "/run/current-system/webapps/${webappName}";
    vhostConf = ''
    <FilesMatch "\.php$">
      SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
    </FilesMatch>

    Include /var/secrets/webapps/${app.environment}-aten

    ${if app.environment == "dev" then ''
    <Location />
      Use LDAPConnect
      Require ldap-group   cn=dev.aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
    </Location>

    <Location /backend>
      Use LDAPConnect
      Require ldap-group   cn=dev.aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
    </Location>
    '' else ''
    Use Stats aten.pro

    <Location /backend>
      Use LDAPConnect
      Require ldap-group   cn=aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
    </Location>
    ''}

    <Directory ${root}>
      Options Indexes FollowSymLinks MultiViews Includes
      AllowOverride All
      Require all granted
      DirectoryIndex index.php
      FallbackResource /index.php
    </Directory>
    '';
  };
  activationScript = {
    deps = [ "wrappers" ];
    text = ''
    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}
    install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
    '';
  };
}