{ config, lib, pkgs, ... }:

let
  uwsgi_params = builtins.toFile "uwsgi_param" ''
    uwsgi_param QUERY_STRING $query_string;
    uwsgi_param REQUEST_METHOD $request_method;
    uwsgi_param CONTENT_TYPE $content_type;
    uwsgi_param CONTENT_LENGTH $content_length;
    uwsgi_param REQUEST_URI $request_uri;
    uwsgi_param PATH_INFO $document_uri;
    uwsgi_param DOCUMENT_ROOT $document_root;
    uwsgi_param SERVER_PROTOCOL $server_protocol;
    uwsgi_param REMOTE_ADDR $remote_addr;
    uwsgi_param REMOTE_PORT $remote_port;
    uwsgi_param SERVER_ADDR $server_addr;
    uwsgi_param SERVER_PORT $server_port;
    uwsgi_param SERVER_NAME $server_name;
  '';

  favicon = builtins.toFile "favicon" ''
    location = /favicon.ico {
      root /srv/www/default;
    }
  '';

  acme = builtins.toFile "acme" ''
    location /.well-known/acme-challenge {
      root /srv/www/acme/;
    }
  '';

  mail-autoconfig = pkgs.writeTextFile {
    name = "mail-autoconfig";
    destination = "/config-v1.1.xml";
    text = ''
      <?xml version="1.0" encoding="UTF-8"?>
      <clientConfig version="1.1">
        <emailProvider id="yggdrasil.li">
          <domain>141.li</domain>
          <domain>xmpp.li</domain>
          <domain>yggdrasil.li</domain>
          <domain>praseodym.org</domain>
          <domain>kleen.li</domain>
          <domain>nights.email</domain>
          <displayName>Yggdrasil</displayName>
          <displayShortName>Yggdrasil</displayShortName>
          <incomingServer type="imap">
            <hostname>ymir.yggdrasil.li</hostname>
            <port>143</port>
            <socketType>STARTTLS</socketType>
            <authentication>password-cleartext</authentication>
            <username>%EMAILLOCALPART%</username>
          </incomingServer>
          <outgoingServer type="smtp">
            <hostname>ymir.yggdrasil.li</hostname>
            <port>25</port>
            <socketType>STARTTLS</socketType>
            <authentication>password-cleartext</authentication>
            <username>%EMAILLOCALPART%</username>
          </outgoingServer>
          <incomingServer type="imap">
            <hostname>ymir.yggdrasil.li</hostname>
            <port>993</port>
            <socketType>SSL</socketType>
            <authentication>password-cleartext</authentication>
            <username>%EMAILLOCALPART%</username>
          </incomingServer>
        </emailProvider>
      </clientConfig>
    '';
  };
in {
  services.logrotate = {
    enable = true;
    extraConfig = ''
      /var/spool/nginx/logs/* {
        compress
        daily
        missingok
        rotate 4
        size 1M
        su ${config.services.nginx.user} ${config.services.nginx.group}
      }
    '';
  };

  systemd.services.nginx.serviceConfig = {
    ReadWritePaths = "/srv/ftp";
  };

  services.nginx = {
    enable = true;

    recommendedOptimisation = true;
    sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
    sslDhparam = config.security.dhparams.params.nginx.path;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    

    commonHttpConfig = ''
      log_format main
              '$remote_addr "$remote_user" '
              '"$host" "$request" $status $bytes_sent '
              '"$http_referer" "$http_user_agent" '
              '$gzip_ratio';

      client_header_timeout 10m;
      client_body_timeout 10m;
      send_timeout 10m;

      connection_pool_size 256;
      client_header_buffer_size 1k;
      large_client_header_buffers 4 2k;
      request_pool_size 4k;

      output_buffers 1 32k;
      postpone_output 1460;

      ignore_invalid_headers on;

      access_log syslog:server=unix:/dev/log main;
      error_log syslog:server=unix:/dev/log info;

      ssl_certificate /var/lib/acme/yggdrasil.li/fullchain.pem;
      ssl_certificate_key /var/lib/acme/yggdrasil.li/key.pem;

      server {
        listen *:443 ssl;
        listen [::]:443 ssl;
        server_name _;

        include ${favicon};
        include ${acme};

        location /.well-known/autoconfig/mail/ {
          alias ${mail-autoconfig};
        }

        root /srv/www/default;
      }

      server {
        listen *:80;
        listen [::]:80;
        server_name _;

        include ${acme};

        location / {
          return 301 https://$host$request_uri;
        }
      }
    '';

    appendHttpConfig = ''
      server {
        listen *:443 ssl;
        listen [::]:443 ssl;
        server_name ~^(.*\.)?(f|files)\.(yggdrasil\.li|141\.li|praseodym\.org)$;

        include ${favicon};
        include ${acme};

        root /srv/www/files;
      }

      server {
        listen *:443 ssl;
        listen [::]:443 ssl;
        server_name ~^(.*\.)?(o|online)\.(yggdrasil\.li|141\.li|praseodym\.org)$;

        include ${favicon};
        include ${acme};

        location / {
          add_header X-NetworkManager-Status online;
          add_header Cache-Control "max-age=0, must-revalidate";
          return 204;
        }
      }

      server {
        listen *:443 ssl;
        listen [::]:443 ssl;
        server_name ~^(.*\.)?dirty-haskell\.org$;

        include ${favicon};
        include ${acme};

        root /srv/www/dirty-haskell.org;
      }

      server {
        listen *:443 ssl;
        listen [::]:443 ssl;
        server_name ~^(.*\.)?git\.yggdrasil\.li$;

        root ${pkgs.cgit}/cgit;

        try_files $uri @cgit;

        include ${favicon};
        include ${acme};

        location @cgit {
          include ${uwsgi_params};
          uwsgi_pass unix:/run/git.yggdrasil.li.sock;
          uwsgi_modifier1 9;
        }
      }

      server {
        listen *:443 ssl;
        listen [::]:443 ssl;
        server_name ~^(.*\.)?odin\.(yggdrasil\.li|141\.li)$;

        location / {
          auth_basic "Reverse proxy to odin";
          auth_basic_user_file /srv/www/odin/htpasswd;

          set $upstream http://odin.asgard.yggdrasil/;
          proxy_pass $upstream;
        }
      }

      server {
        listen *:443 ssl;
        listen [::]:443 ssl;

        server_name ~^ftp\.(yggdrasil\.li|141\.li|praseodym\.org)$;

        client_body_temp_path /run/nginx/webdav;

        location / {
          root /srv/ftp/$remote_user;
          autoindex on;
        
          auth_basic "FTP over WebDAV";
          auth_basic_user_file /srv/ftp.htpasswd;

          dav_methods PUT DELETE MKCOL COPY MOVE;
          create_full_put_path on;
          dav_access user:rw group:r all:r;
        }
      }
    '';
  };
}