{ config, pkgs, ... }:

let
  domain = "design.hamburg.ccc.de";
in
{
  services.nginx = {
    enable = true;

    virtualHosts = {
      "acme-${domain}" = {
        default = true;
        enableACME = true;
        serverName = "${domain}";

        listen = [
          {
            addr = "0.0.0.0";
            port = 31820;
          }
        ];
      };

      "${domain}" = {
        default = true;
        forceSSL = true;
        useACMEHost = "${domain}";

        listen = [
          {
            addr = "0.0.0.0";
            port = 8443;
            ssl = true;
            proxyProtocol = true;
          }
        ];

        locations."/" = {
          proxyPass = "http://127.0.0.1:9001";
        };

        locations."/ws/notifications" = {
          proxyPass = "http://127.0.0.1:9001";
          proxyWebsockets = true;
        };

        extraConfig = ''
          # Make use of the ngx_http_realip_module to set the $remote_addr and
          # $remote_port to the client address and client port, when using proxy
          # protocol.
          # First set our proxy protocol proxy as trusted.
          set_real_ip_from 172.31.17.140;
          # Then tell the realip_module to get the addreses from the proxy protocol
          # header.
          real_ip_header proxy_protocol;
        '';
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
  networking.firewall.allowedUDPPorts = [ 8443 ];
}