{ config, pkgs, ... }:

{
  imports = [ ../../profiles/nginx.nix ];

  systemd.services.nginx = {
    serviceConfig.BindReadOnlyPaths = [
      "/home/asmadeus/www:/www/local"
    ];
  };

  services.nginx.virtualHosts =  {
    "jormungand.codewreck.org" = {
      forceSSL = true;
      enableACME = true;
      locations."/mpd/" = {
        proxyPass = "http://127.0.0.1:8080/";
        # /var/spool/nginx/mpd.htpasswd has been populated manually
        # until proper secrets get managed...
        extraConfig = ''
          auth_basic "mpd";
          auth_basic_user_file /var/spool/nginx/mpd.htpasswd;
        '';
      };
      locations."/local/" = {
        root = "/www";
      };
      locations."/" = {
        extraConfig = ''
          rewrite ^ https://codewreck.org$request_uri? redirect;
        '';
      };
    };

    "test.codewreck.org" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://[::1]:10000/";
        extraConfig = ''
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
	  proxy_read_timeout 1800;
	  proxy_send_timeout 1800;
        '';
      };
    };

    "miniflux.codewreck.org" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://[::1]:8081/";
      };
    };

    "matrix.codewreck.org" = {
      forceSSL = true;
      enableACME = true;
      locations."/".extraConfig = ''
        return 404;
      '';
      locations."/_matrix" = {
        proxyPass = "http://[::1]:8008";
      };
    };

    "riot.codewreck.org" = {
      forceSSL = true;
      enableACME = true;
      root = pkgs.element-web.override {
        conf = {
          default_server_config."m.homeserver" = {
            "base_url" = "https://matrix.codewreck.org";
            "server_name" = "codewreck.org";
          };
        };
      };
    };
  };
}