{ pkgs, config, lib, ... }:

let
  cfg = config.modules.homelab.nginx-proxy;
  sec = config.sops.secrets;
  homelab = config.modules.homelab;
in
{
  options.modules.homelab.nginx-proxy = {
    enable = lib.mkEnableOption "enables nginx-proxy";
  };

  config = lib.mkIf cfg.enable {
    # enable nginx proxy manager
    services.nginx = {
      enable = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      commonHttpConfig = ''
        error_page 404 =302 https://www.youtube.com/watch?v=dQw4w9WgXcQ;
      '';
    };
    # enable acme for auto ssl certs with lets encrypt
    security.acme = {
      acceptTerms = true;
      defaults.email = "me@blakedheld.xyz";
    };

  systemd.tmpfiles.rules = [
    "d /var/www/keys 0755 nginx nginx -"
  ];

    # static entries
    services.nginx.virtualHosts."key.${homelab.public_domain}" = {
      forceSSL = true;
      sslCertificate = sec."ssl_blakedheld_crt".path;
      sslCertificateKey = sec."ssl_blakedheld_key".path;
      root = "/var/www/keys";
      locations."/" = {
        index = "klefki_pub.asc";
        extraConfig = ''
          add_header Content-Disposition attachment; "filename=klefki_pub.asc";  
          default_type application/pgp-keys;
        '';
      };
    };

    # nginx secrets
    sops.secrets = {
      "ssl_blakedheld_crt" = {
        restartUnits = [ "nginx.service" ];
        owner = "nginx";
        group = "nginx";
      };
      "ssl_blakedheld_key" = {
        owner = "nginx";
        group = "nginx";
      };
      "klefki_pub.asc" = {
        owner = "nginx";
        group = "nginx";
        path = "/var/www/keys/klefki_pub.asc";
      };
    };
  };
}