# Sources for this configuration:
# - https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy

{ config, ... }:

{
  services.nginx = {
    enable = true;

    virtualHosts = {
      "status.hamburg.ccc.de" = {
        forceSSL = true;
        enableACME = true;
        serverName = "status.hamburg.ccc.de";

        listen = [
          {
            addr = "[::]";
            port = 80;
          }
          {
            addr = "[::]";
            port = 443;
            ssl = true;
          }
        ];

        locations."/" = {
          proxyPass = "http://localhost:3001";
          proxyWebsockets = true;
        };
      };
      "status-proxyprotocol.hamburg.ccc.de" = {
        forceSSL = true;
        useACMEHost = "status.hamburg.ccc.de";
        serverName = "status.hamburg.ccc.de";

        listen = [
          {
            addr = "0.0.0.0";
            port = 8443;
            ssl = true;
            proxyProtocol = true;
          }
        ];

        locations."/" = {
          proxyPass = "http://localhost:3001";
          proxyWebsockets = true;
        };

        extraConfig = ''
          # Make use of the ngx_http_realip_module to set the $remote_addr and
          # $remote_port to the client address and client port, when using proxy
          # protocol.
          # First set our proxy protocol proxy as trusted.
          set_real_ip_from 10.31.206.11;
          # Then tell the realip_module to get the addreses from the proxy protocol
          # header.
          real_ip_header proxy_protocol;
        '';
      };
      "status.ccchh.net" = {
        forceSSL = true;
        useACMEHost = "status.hamburg.ccc.de";
        serverName = "status.ccchh.net";

        listen = [
          {
            addr = "[::]";
            port = 80;
          }
          {
            addr = "[::]";
            port = 443;
            ssl = true;
          }
        ];

        globalRedirect = "status.hamburg.ccc.de";
        redirectCode = 307;
      };
      "status-proxyprotocol.ccchh.net" = {
        forceSSL = true;
        useACMEHost = "status.hamburg.ccc.de";
        serverName = "status.ccchh.net";

        listen = [
          {
            addr = "0.0.0.0";
            port = 8443;
            ssl = true;
            proxyProtocol = true;
          }
        ];

        globalRedirect = "status.hamburg.ccc.de";
        redirectCode = 307;

        extraConfig = ''
          # Make use of the ngx_http_realip_module to set the $remote_addr and
          # $remote_port to the client address and client port, when using proxy
          # protocol.
          # First set our proxy protocol proxy as trusted.
          set_real_ip_from 10.31.206.11;
          # Then tell the realip_module to get the addreses from the proxy protocol
          # header.
          real_ip_header proxy_protocol;
        '';
      };
      "status.z9.ccchh.net" = {
        forceSSL = true;
        useACMEHost = "status.hamburg.ccc.de";
        serverName = "status.z9.ccchh.net";

        listen = [
          {
            addr = "0.0.0.0";
            port = 80;
          }
          {
            addr = "[::]";
            port = 80;
          }
          {
            addr = "0.0.0.0";
            port = 443;
            ssl = true;
          }
          {
            addr = "[::]";
            port = 443;
            ssl = true;
          }
        ];

        globalRedirect = "status.hamburg.ccc.de";
        redirectCode = 307;
      };
    };
  };

  security.acme.certs."status.hamburg.ccc.de".extraDomainNames = [
    "status.ccchh.net"
    "status.z9.ccchh.net"
  ];

  networking.firewall.allowedTCPPorts = [ 80 443 8443 ];
}