{ config, lib, pkgs, options, ... }:

with lib;
let
  cfg = config.modules.services.nginx-config;
in {
  options.modules.services.nginx-config = {
    enable = mkOption {
      type = types.bool;
      default = false;
    };

    package = mkOption {
      type = types.package;
      default = pkgs.openresty;
    };

    defaultLuaPackagePath = mkOption {
      type = types.path;
      default = null;
    };
  };

  config = mkIf cfg.enable {
    assertions = [
      { assertion = cfg.defaultLuaPackagePath != null;
        description = "The defaultLuaPackagePath property *must* be explicitly specified.";
      }
    ];

    security.acme = {
      acceptTerms = true;
      defaults.email = "reidlab325@gmail.com";
      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
    };

    services.nginx = {
      enable = true;
      package = cfg.package;
      
      recommendedTlsSettings = true;
      recommendedOptimisation = true;
      recommendedGzipSettings = true;
      recommendedProxySettings = true;

      logError = "stderr warn";

      # TODO: clean this up oh my god like everything here :sob: im vomiting shaking and crying looking at this.
      commonHttpConfig = let
        # lua
        lua-resty-template = pkgs.fetchFromGitHub {
          owner = "bungle";
          repo = "lua-resty-template";
          rev = "v2.0";
          sha256 = "1gpyjq3ms5ib8xiz6k9z97cjifx9zp1dyjkr58b2s034xksy2vb1";      
        };
        lua-resty-redis = pkgs.fetchFromGitHub {
          owner = "openresty";
          repo = "lua-resty-redis";
          rev = "v0.29";
          sha256 = "089ishx4482ybfsv10ig8h3cpsdw6rvgy0w874h1c7m1gk2fd7r9";
        };
        lua-resty-websocket = pkgs.fetchFromGitHub {
          owner = "openresty";
          repo = "lua-resty-websocket";
          rev = "v0.10";
          sha256 = "0zpprfi5qc3066ab7g7nyr18jwlk3n8y0006maj4nlx38rl24vfh";
        };

        # cloudflare
        realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from  ${x};");
        fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
        cfipv4 = fileToList (pkgs.fetchurl {
          url = "https://www.cloudflare.com/ips-v4";
          sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
        });
        cfipv6 = fileToList (pkgs.fetchurl {
          url = "https://www.cloudflare.com/ips-v6";
          sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
        });
      in ''
        lua_package_path "${toString cfg.defaultLuaPackagePath}/?.lua;;${lua-resty-template}/lib/?.lua;;${lua-resty-redis}/lib/?.lua;;${lua-resty-websocket}/lib/?.lua;;";

        map $scheme $hsts_header {
            https   "max-age=31536000; includeSubdomains; preload";
        }
        add_header Strict-Transport-Security $hsts_header;

        # Enable CSP for your services.
        # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
        # ^ this above breaks forgejo/gitea so

        add_header 'Referrer-Policy' 'origin-when-cross-origin';
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";

        # This might create errors
        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";

        ${realIpsFromList cfipv4}
        ${realIpsFromList cfipv6}
        real_ip_header CF-Connecting-IP;
      '';
    };

    networking.firewall.allowedTCPPorts = [ 443 80 ];
    networking.firewall.allowedUDPPorts = [ 443 80 ];
  };
}