{ config, pkgs, ... }:
let host = "stuce.ch";
in {
  security.acme = {
    acceptTerms = true;
    defaults.email = "lefabricesaucy@outlook.com";
  };
  services.nginx = {
    enable = true;
    # Use recommended settings
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    # Only allow PFS-enabled ciphers with AES256
    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

    virtualHosts."cal.${host}" = {
      enableACME = true;
      forceSSL = true;
      extraConfig =
        " 	rewrite ^/.well-known/carddav / redirect;\n	rewrite ^/.well-known/caldav / redirect;\n ";
      locations."/" = {
        proxyPass = "http://localhost:5232";
        # 	   extraConfig = ''
        # 	   proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        # 	   proxy_set_header  X-Forwarded-Host $host;
        # 	   proxy_set_header  X-Forwarded-Port $server_port;
        # 	   proxy_set_header  X-Forwarded-Proto $scheme;
        # 	   proxy_set_header  Host $http_host;
        # 	   proxy_pass_header Authorization;
        # '';
      };
    };
    virtualHosts."eink.${host}" = {
      forceSSL = true;
      # sslCertificateKey = "/etc/nginx/certs/ca.key";
      # sslCertificate = "/etc/nginx/certs/ca.crt";
      extraConfig = ''
        ssl_client_certificate /etc/nginx/certs/client.crt;
        ssl_verify_client on;
      '';
      locations."/" = {
        # TODO fastcgi to the script
        extraConfig = "return 200 'handshake worked !!!';";
      };
    };

    virtualHosts."vault.${host}" = {
      enableACME = true;
      forceSSL = true;
      extraConfig = "include /etc/nginx/snippets/authelia-location.conf;";
      locations."/" = {
        proxyPass = "http://127.0.0.1:${
            toString config.services.vaultwarden.config.ROCKET_PORT
          }";
      };
      locations."/admin" = {
        extraConfig = ''
          include /etc/nginx/snippets/proxy.conf;
          include /etc/nginx/snippets/authelia-authrequest.conf;
        '';
        proxyPass = "http://127.0.0.1:${
            toString config.services.vaultwarden.config.ROCKET_PORT
          }";
      };
    };

    virtualHosts."armee.${host}" = {
      root = "/var/www/armee";
      forceSSL = true;
      enableACME = true;
      extraConfig = "include /etc/nginx/snippets/authelia-location.conf;";

      locations."/plans" = {
        extraConfig = ''
          autoindex on;
          include /etc/nginx/snippets/proxy.conf;
          include /etc/nginx/snippets/authelia-authrequest.conf;
        '';
      };
      locations."/notes" = {
        extraConfig = ''
          include /etc/nginx/snippets/proxy.conf;
          include /etc/nginx/snippets/authelia-authrequest.conf;
        '';
      };
    };

    virtualHosts."auth.${host}" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://localhost:9091";
        proxyWebsockets = true;
        extraConfig = "include /etc/nginx/snippets/proxy.conf;";
      };
      locations."/api/verify" = { proxyPass = "http://localhost:9091"; };
      locations."/api/authz" = { proxyPass = "http://localhost:9091"; };
    };

    virtualHosts."ldap.${host}" = {
      forceSSL = true;
      enableACME = true;
      extraConfig = "include /etc/nginx/snippets/authelia-location.conf;";
      locations."/" = {
        proxyPass = "http://localhost:17170";
        extraConfig = "include /etc/nginx/snippets/proxy.conf;";
      };
    };

    virtualHosts."git.${host}" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        extraConfig = ''
          	client_max_body_size 512M;
            proxy_pass http://localhost:3000;
            proxy_set_header Connection $http_connection;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        '';
      };
    };
  };

  # TODO: make a simple script around here that lets you regenerate or update every value when needed
  # NOTE: does not work as expected
  # systemd.services.authelia-main.preStart = ''
  #   [ -f /var/lib/authelia-main/jwt-secret ] || {
  #     "${pkgs.openssl}/bin/openssl" rand -base64 32 > /var/lib/authelia-main/jwtSecret
  #   }
  #   [ -f /var/lib/authelia-main/storage-encryption-file ] || {
  #     "${pkgs.openssl}/bin/openssl" rand -base64 32 > /var/lib/authelia-main/storageEncryptionKeyFile
  #   }
  #   [ -f /var/lib/authelia-main/session-secret-file ] || {
  #     "${pkgs.openssl}/bin/openssl" rand -base64 32 > /var/lib/authelia-main/sessionSecretFile
  #   }
  #   [ -f /var/lib/authelia-main/hmac ] || {
  #     "${pkgs.openssl}/bin/openssl" rand -base64 64 > /var/lib/authelia-main/hmac
  #   }
  #   [ -f /var/lib/authelia-main/rsa.2048.key ] || {
  #     "${pkgs.openssl}/bin/openssl" genpkey -algorithm RSA -out /var/lib/authelia-main/rsa.2048.key -pkeyopt rsa_keygen_bits:2048
  #   }
  # '';

  environment.etc."nginx/snippets/authelia-location.conf" = {
    user = "nginx";
    group = "nginx";
    text = ''
      set $upstream_authelia http://localhost:9091/api/authz/auth-request;

      ## Virtual endpoint created by nginx to forward auth requests.
      location /internal/authelia/authz {
      ## Essential Proxy Configuration
      internal;
      proxy_pass $upstream_authelia;

      ## Headers
      ## The headers starting with X-* are required.
      proxy_set_header X-Original-Method $request_method;
      proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header Content-Length "";
      proxy_set_header Connection "";

      ## Basic Proxy Configuration
      proxy_pass_request_body off;
      proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
      proxy_redirect http:// $scheme://;
      #proxy_http_version 1.1;
      proxy_cache_bypass $cookie_session;
      proxy_no_cache $cookie_session;
      proxy_buffers 4 32k;
      client_body_buffer_size 128k;

      ## Advanced Proxy Configuration
      send_timeout 5m;
      proxy_read_timeout 240;
      proxy_send_timeout 240;
      proxy_connect_timeout 240;
      }
    '';
  };
  environment.etc."nginx/snippets/authelia-authrequest.conf" = {
    user = "nginx";
    group = "nginx";
    text = ''
      ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
      auth_request /internal/authelia/authz;

      ## Save the upstream metadata response headers from Authelia to variables.
      auth_request_set $user $upstream_http_remote_user;
      auth_request_set $groups $upstream_http_remote_groups;
      auth_request_set $name $upstream_http_remote_name;
      auth_request_set $email $upstream_http_remote_email;

      ## Inject the metadata response headers from the variables into the request made to the backend.
      proxy_set_header Remote-User $user;
      proxy_set_header Remote-Groups $groups;
      proxy_set_header Remote-Email $email;
      proxy_set_header Remote-Name $name;

      ## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
      ## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
      ## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily.

      ## Modern Method: Set the $redirection_url to the Location header of the response to the Authz endpoint.
      auth_request_set $redirection_url $upstream_http_location;

      ## Modern Method: When there is a 401 response code from the authz endpoint redirect to the $redirection_url.
      error_page 401 =302 $redirection_url;

      ## Legacy Method: Set $target_url to the original requested URL.
      ## This requires http_set_misc module, replace 'set_escape_uri' with 'set' if you don't have this module.
      # set_escape_uri $target_url $scheme://$http_host$request_uri;

      ## Legacy Method: When there is a 401 response code from the authz endpoint redirect to the portal with the 'rd'
      ## URL parameter set to $target_url. This requires users update 'auth.stuce.com/' with their external authelia URL.
      # error_page 401 =302 https://auth.stuce.com/?rd=$target_url;
    '';
  };

  environment.etc."nginx/snippets/proxy.conf" = {
    user = "nginx";
    group = "nginx";
    text = ''
      ## Headers
      proxy_set_header Host $host;
      proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Host $http_host;
      proxy_set_header X-Forwarded-URI $request_uri;
      proxy_set_header X-Forwarded-Ssl on;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header X-Real-IP $remote_addr;

      ## Basic Proxy Configuration
      client_body_buffer_size 128k;
      proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
      proxy_redirect  http://  $scheme://;
      #proxy_http_version 1.1;
      proxy_cache_bypass $cookie_session;
      proxy_no_cache $cookie_session;
      proxy_buffers 64 256k;

      ## Trusted Proxies Configuration
      ## Please read the following documentation before configuring this:
      ##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
      # set_real_ip_from 10.0.0.0/8;
      # set_real_ip_from 172.16.0.0/12;
      # set_real_ip_from 192.168.0.0/16;
      # set_real_ip_from fc00::/7;
      real_ip_header X-Forwarded-For;
      real_ip_recursive on;

      ## Advanced Proxy Configuration
      send_timeout 5m;
      proxy_read_timeout 360;
      proxy_send_timeout 360;
      proxy_connect_timeout 360;
    '';
  };

}