{ pkgs, ... }:

let
  element-web = pkgs.fetchzip {
    url = "https://github.com/vector-im/element-web/releases/download/v1.11.45/element-v1.11.45.tar.gz";
    sha256 = "sha256-nwRsBIF9vcHZkyVsLA2sU2cmuzALEIIOcWQRGfd+5xs=";
  };
  elementSecurityHeaders = ''
    # Configuration best practices
    # See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Content-Security-Policy "frame-ancestors 'none'";

    add_header Strict-Transport-Security "max-age=63072000" always;
  '';
in
{
  services.nginx.virtualHosts = {
    "acme-element.hamburg.ccc.de" = {
      default = true;
      enableACME = true;
      serverName = "element.hamburg.ccc.de";

      listen = [
        {
          addr = "0.0.0.0";
          port = 31820;
        }
      ];
    };

    "element.hamburg.ccc.de" = {
      default = true;
      forceSSL = true;
      useACMEHost = "element.hamburg.ccc.de";

      listen = [
        {
          addr = "0.0.0.0";
          port = 8443;
          ssl = true;
          extraParameters = [ "proxy_protocol" ];
        }
      ];

      root = pkgs.buildEnv {
        name = "element-web";
        paths = [
          element-web
          ./element-web-config
        ];
      };

      # Set no-cache for the version, config and index.html
      # so that browsers always check for a new copy of Element Web.
      # NB http://your-domain/ and http://your-domain/? are also covered by this

      locations."= /index.html" = {
        extraConfig = elementSecurityHeaders + ''
          add_header Cache-Control "no-cache";
        '';
      };
      locations."= /version" = {
        extraConfig = elementSecurityHeaders + ''
          add_header Cache-Control "no-cache";
        '';
      };
      # covers config.json and config.hostname.json requests as it is prefix.
      locations."/config" = {
        extraConfig = elementSecurityHeaders + ''
          add_header Cache-Control "no-cache";
        '';
      };
      extraConfig = elementSecurityHeaders + ''
        index  index.html;

        # redirect server error pages to the static page /50x.html
        error_page   500 502 503 504  /50x.html;

        # Make use of the ngx_http_realip_module to set the $remote_addr and
        # $remote_port to the client address and client port, when using proxy
        # protocol.
        # First set our proxy protocol proxy as trusted.
        set_real_ip_from 172.31.17.140;
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;
      '';
    };
  };
}