# Part of config shamelessly stolen from:
#
# https://github.com/delroth/infra.delroth.net
{
  config,
  lib,
  pkgs,
  ...
}: let
  inherit
    (lib)
    mkEnableOption
    mkIf
    ;

  cfg = config.my.services.nginx;
in {
  options.my.services.nginx = {
    enable = mkEnableOption "Nginx reverse proxy";
  };

  # Whenever something defines an nginx vhost, ensure that nginx defaults are
  # properly set.
  config = mkIf (cfg.enable) {
    services.nginx = {
      enable = true;
      statusPage = true; # For monitoring scraping.

      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedTlsSettings = true;
      recommendedProxySettings = true;
    };

    networking.firewall.allowedTCPPorts = [80 443];

    services.prometheus = {
      exporters.nginx = {
        enable = true;
        listenAddress = "127.0.0.1";
      };

      scrapeConfigs = [
        {
          job_name = "nginx";
          static_configs = [
            {
              targets = ["127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}"];
              labels = {
                instance = config.networking.hostName;
              };
            }
          ];
        }
      ];
    };

    security.acme = {
      acceptTerms = true;
      defaults.email = "antoine97.martin@gmail.com";

      certs = let
        domain = config.networking.domain;
        hostname = config.networking.hostName;
        fqdn = "${hostname}.${domain}";
        gandiKey = config.my.secrets.gandiKey;
      in {
        "${fqdn}" = {
          dnsProvider = "ovh";
          credentialsFile = config.age.secrets."ovh/credentials".path;
          group = "nginx";
        };
      };
    };
  };
}