{ pkgs, config, lib, ... }:

let
  cfg = config.modules.homelab.nginx-proxy;
  sec = config.sops.secrets;
  homelab = config.modules.homelab;
in
{
  options.modules.homelab.nginx-proxy = {
    enable = lib.mkEnableOption "enables nginx-proxy";
  };

  config = lib.mkIf cfg.enable {
    # enable nginx proxy manager
    services.nginx = {
      enable = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
    };
    # enable acme for auto ssl certs with lets encrypt
    security.acme = {
      acceptTerms = true;
      defaults.email = "me@blakedheld.xyz";
    };

    # static entries
    services.nginx.virtualHosts."key.${homelab.public_domain}" = {
      forceSSL = true;
      sslCertificate = sec."ssl_blakedheld_crt".path;
      sslCertificateKey = sec."ssl_blakedheld_key".path;
      locations."/" = {
        root = "/etc/webroot_keys";
        index = "klefki_pub.asc";
      };
    };

    # nginx secrets
    sops.secrets = {
      "ssl_blakedheld_crt" = {
        restartUnits = [ "nginx.service" ];
        owner = "nginx";
        group = "nginx";
#        neededForUsers = true;
      };
      "ssl_blakedheld_key" = {
        owner = "nginx";
        group = "nginx";
#        neededForUsers = true;
      };
      "klefki_pubkey.asc" = {
        owner = "nginx";
        group = "nginx";
        path = "/etc/webroot_keys/klefki_pub.asc";
#        neededForUsers = true;
      };
    };
  };
}