{ config, pkgs, lib, ... }:
let
  cfg = config.services.vm_nginx;
in
{
  options.services.vm_nginx = {
    enable = lib.mkEnableOption "Enable minimal config";
  };
  config = lib.mkIf cfg.enable {
    security.acme = {
      acceptTerms = true;
      defaults.email = "theo.barnouin@le43.eu";
    };
    services = {
      fail2ban = {
        jails = {
          nginx-http-auth = ''
            enabled  = true
            port     = http,https
            logpath  = /var/log/nginx/*.log
            backend  = polling
            journalmatch =
          '';
          nginx-botsearch = ''
            enabled  = true
            port     = http,https
            logpath  = /var/log/nginx/*.log
            backend  = polling
            journalmatch =
          '';
          nginx-bad-request = ''
            enabled  = true
            port     = http,https
            logpath  = /var/log/nginx/*.log
            backend  = polling
            journalmatch =
          '';
        };
      };
      nginx = {
        enable = true;
        recommendedGzipSettings = true;
        recommendedOptimisation = true;
        recommendedProxySettings = true;
        recommendedTlsSettings = true;
        clientMaxBodySize = "10000m";
        sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
        appendHttpConfig = ''
          # Add HSTS header with preloading to HTTPS requests.
          # Adding this header to HTTP requests is discouraged
          map $scheme $hsts_header {
              https   "max-age=31536000; includeSubdomains; preload";
          }
          add_header Strict-Transport-Security $hsts_header;
    
          # Enable CSP for your services.
          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
    
          # Minimize information leaked to other domains
          add_header 'Referrer-Policy' 'origin-when-cross-origin';
    
          # Disable embedding as a frame
          add_header X-Frame-Options DENY;
    
          # Prevent injection of code in other mime types (XSS Attacks)
          add_header X-Content-Type-Options nosniff;
          client_body_buffer_size 400M;
        '';
        user = "tbarnouin";
        logError = "syslog:server=unix:/dev/log";
        commonHttpConfig = ''
          access_log syslog:server=unix:/dev/log;
        '';
        virtualHosts."logs.le43.eu" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://192.168.1.20:3000";
            proxyWebsockets = true;
            recommendedProxySettings = true;
          };
        };
        virtualHosts."play.le43.eu" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://192.168.1.42:8096";
            recommendedProxySettings = true;
          };
        };
        virtualHosts."cloud.le43.eu" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://192.168.1.44";
            proxyWebsockets = true;
            recommendedProxySettings = true;
          };
        };
        virtualHosts."collabora.le43.eu" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://192.168.1.46:9980";
            proxyWebsockets = true;
            recommendedProxySettings = true;
          };
        };
        virtualHosts."git.le43.eu" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://192.168.1.14:3000";
            recommendedProxySettings = true;
          };
        };
        virtualHosts."authentik.le43.eu" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://192.168.1.25:9000";
            recommendedProxySettings = true;
            proxyWebsockets = true;
          };
        };
      };
    };
    networking.firewall.allowedTCPPorts = [ 80 443 ];
  };
}