{ config, ... }:

{
  config = {
    security.acme.rfc2136Domains = {
      "immich.yggdrasil.li" = {
        restartUnits = ["nginx.service"];
      };
    };

    services.nginx = {
      upstreams."immich" = {
        servers = {
          "[2a03:4000:52:ada:4:1::]:2283" = {};
        };
        extraConfig = ''
          keepalive 8;
        '';
      };
      virtualHosts = {
        "immich.yggdrasil.li" = {
          kTLS = true;
          http3 = true;
          forceSSL = true;
          sslCertificate = "/run/credentials/nginx.service/immich.yggdrasil.li.pem";
          sslCertificateKey = "/run/credentials/nginx.service/immich.yggdrasil.li.key.pem";
          sslTrustedCertificate = "/run/credentials/nginx.service/immich.yggdrasil.li.chain.pem";
          extraConfig = ''
            charset utf-8;
          '';

          locations = {
            "/".extraConfig = ''
              proxy_pass http://immich;

              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";

              proxy_redirect off;
              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Host $server_name;
              proxy_set_header X-Forwarded-Proto $scheme;

              client_max_body_size 0;
              proxy_request_buffering off;
              proxy_buffering off;
            '';
          };
        };
      };
    };

    systemd.services.nginx = {
      serviceConfig = {
        LoadCredential = [
          "immich.yggdrasil.li.key.pem:${config.security.acme.certs."immich.yggdrasil.li".directory}/key.pem"
          "immich.yggdrasil.li.pem:${config.security.acme.certs."immich.yggdrasil.li".directory}/fullchain.pem"
          "immich.yggdrasil.li.chain.pem:${config.security.acme.certs."immich.yggdrasil.li".directory}/chain.pem"
        ];
      };
    };
  };
}