{ config, pkgs, ... }:
let
  proxy = path: {
    http2 = true;
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = path;
      proxyWebsockets = true;
    };
  };
  bigProxy = path: {
    http2 = true;
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = path;
      proxyWebsockets = true;
      extraConfig = ''
        client_max_body_size 0;
      '';
    };
  };
  redirect = dest: {
    forceSSL = true;
    enableACME = true;
    http2 = true;
    globalRedirect = dest;
  };
  k8sProxy = proxy "http://kubernetes.lxd:8080/";
in {
  imports = [ ../../common ../../common/lxc.nix ];
  networking.hostName = "nginx";
  system.stateVersion = "21.11";
  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [ 80 443 9113 9117 ];
  services.nginx = {
    enable = true;
    commonHttpConfig = ''
      log_format custom   '$remote_addr - $remote_user [$time_local] '
                          '"$host" "$request" $status $body_bytes_sent '
                          '"$http_referer" "$http_user_agent" "$http_x_forwarded_for"';

      access_log /var/log/nginx/access.log custom;

      # Below has been borrowed from 
      # https://nixos.wiki/wiki/Nginx#Hardened_setup_with_TLS_and_HSTS_preloading

      # Add HSTS header with preloading to HTTPS requests.
      # Adding this header to HTTP requests is discouraged
      map $scheme $hsts_header {
          https   "max-age=31536000; includeSubdomains; preload";
      }
      add_header Strict-Transport-Security $hsts_header;

      # No CSP yet, this will break like 5 sites I'm sure.
      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

      # Minimize information leaked to other domains
      add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';

      # Disable embedding as a frame
      add_header X-Frame-Options DENY;

      # Prevent injection of code in other mime types (XSS Attacks)
      add_header X-Content-Type-Options nosniff;

      # Enable XSS protection of the browser.
      # May be unnecessary when CSP is configured properly (see above)
      add_header X-XSS-Protection "1; mode=block";

    '';
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    package = pkgs.nginxMainline;
    statusPage = true;

    virtualHosts."asraphiel.dev" = {
      forceSSL = true;
      http2 = true;
      enableACME = true;
      default = true;
      root = "/etc/main";
      locations."/very/hidden/index.html" = {
        return = "301 https://youtu.be/dQw4w9WgXcQ";
      };
    };
    virtualHosts."auth.asraphiel.dev" = k8sProxy;

    virtualHosts."git.asraphiel.dev" = proxy "http://gitea.lxd:3000/";
    virtualHosts."drone.asraphiel.dev" = k8sProxy;

    virtualHosts."vault.asraphiel.dev" = proxy "http://vault.lxd:8200/";

    virtualHosts."s3.asraphiel.dev" = bigProxy "http://minio.lxd:9000/";
    virtualHosts."shell.s3.asraphiel.dev" = proxy "http://minio.lxd:9001/";
    virtualHosts."cdn.voidcorp.nl" = redirect "s3.asraphiel.dev";
    virtualHosts."cdn.asraphiel.dev" = k8sProxy;

    virtualHosts."registry.asraphiel.dev" = bigProxy "http://registry.lxd:5000/";
    virtualHosts."vaultwarden.asraphiel.dev" =
      proxy "http://vaultwarden.lxd:8000/";
    virtualHosts."analytics.asraphiel.dev" = redirect "ikaros.asraphiel.dev";
    virtualHosts."ikaros.asraphiel.dev" = k8sProxy;
    virtualHosts."whoami.asraphiel.dev" = k8sProxy;
    virtualHosts."tickets.asraphiel.dev" = k8sProxy;

    virtualHosts."stats.asraphiel.dev" = proxy "http://grafana.lxd:2345/";

    virtualHosts."groenehartansichtkaarten.nl" = k8sProxy;
    virtualHosts."ansichtkaarten.asraphiel.dev" = k8sProxy;

    virtualHosts."galerievanslagmaat.nl" = k8sProxy;
    virtualHosts."galerie.asraphiel.dev" = k8sProxy;
    virtualHosts."staging.galerievanslagmaat.nl" = k8sProxy;
    virtualHosts."galerie-staging.asraphiel.dev" = k8sProxy;
    virtualHosts."www.galerievanslagmaat.nl" = redirect "galerievanslagmaat.nl";
    virtualHosts."galeriewoerden.nl" = redirect "galerievanslagmaat.nl";
    virtualHosts."www.galeriewoerden.nl" = redirect "galerievanslagmaat.nl";

    virtualHosts."weg.asraphiel.dev" = k8sProxy;
  };

  services.prometheus.exporters.nginx.enable = true;
  services.prometheus.exporters.nginxlog.enable = true;
  services.prometheus.exporters.nginxlog.user = config.services.nginx.user;
  services.prometheus.exporters.nginxlog.settings = {
    consul = { enable = false; };

    namespaces = [{
      name = "asraphiel";
      format = ''
        $remote_addr - $remote_user [$time_local] "$host" "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'';
      source = {

        files = [ "/var/log/nginx/access.log" ];
      };
      relabel_configs = [
        {
          target_label = "remote_addr";
          from = "remote_addr";
        }
        {
          target_label = "host";
          from = "host";
        }
      ];
      histogram_buckets =
        [ 5.0e-3 1.0e-2 2.5e-2 5.0e-2 0.1 0.25 0.5 1 2.5 5 10 ];

    }];
  };

  security.acme.defaults.email = "acme@voidcorp.nl";
  security.acme.acceptTerms = true;
  environment.etc."main/index.html" = {
    enable = true;
    source = ./index.html;
  };

}