{ config, lib, options, pkgs, ... }:

let
  cfg = config.sydnix.deertopia.nginx;
in
{
  options.sydnix.deertopia.nginx = {
    enable = lib.mkEnableOption "Nginx";

    root = lib.mkOption {
      type = lib.types.path;
      description = "deertopia.net's root directory.";
      default = "/persist/deertopia.net";
    };

    group = lib.mkOption {
      type = lib.types.str;
      description =
        "The owning group of deertopia.net's root directory.";
      default = "nginx";
    };

    user = lib.mkOption {
      type = lib.types.str;
      description =
        "The owning user of deertopia.net's root directory.";
      default = "nginx";
    };

    vhosts = lib.mkOption {
      # NOTE: `name` shouldn't contain spaces.
      default = {};
      type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
        options = {
          enable = lib.mkOption {
            description = "Enable ${name}.deertopia.net.";
            default = true;
            type = lib.types.boolean;
          };
          directory = lib.mkOption {
            description = "Host's root directory.";
            type = lib.types.nullOr lib.types.path;
            default = "${cfg.root}/${name}";
          };
          user = lib.mkOption {
            type = lib.types.nullOr lib.types.str;
            description = "The owning user of the host's root directory.";
            default = cfg.user;
          };
          group = lib.mkOption {
            type = lib.types.nullOr lib.types.str;
            description = "The owning group of the host's root directory.";
            default = cfg.group;
          };
          vhostName = lib.mkOption {
            type = lib.types.str;
            default = "${name}.deertopia.net";
          };
          vhost = lib.mkOption {
            description = ''
              Virtual host settings, passed directly to the NixOS's Nginx
              module.
            '';
            type = lib.types.anything;
          };
        };
      }));
    };
  };

  config = lib.mkIf cfg.enable {
    services.nginx.enable = true;

    networking.firewall.allowedTCPPorts = [
      80 # HTTP
      443 # HTTPS
    ];

    # With this section, virtual hosts declared through the Nginx NixOS module
    # will automatically request ACME SSL certificates and configure systemd
    # timers to renew the certificate if required.  See the article on the NixOS
    # wiki, from which I've nabbed the following snippet:
    # https://nixos.wiki/wiki/Nginx#Let.27s_Encrypt_certificates
    security.acme = {
      acceptTerms = true;
      defaults.email = "lomiskiam@gmail.com";
    };

    sydnix.impermanence.directories = [
      # Don't regenerate certs on reboot.
      "/var/lib/acme"
    ];

    services.nginx.virtualHosts =
      builtins.listToAttrs
        (builtins.map
          (k: {
            name = cfg.vhosts.${k}.vhostName;
            value = cfg.vhosts.${k}.vhost // {
              root = cfg.vhosts.${k}.directory;
            };
          })
          (builtins.attrNames cfg.vhosts));
  };
}