{ config, pkgs, ... }:
let 
  extraConfig = ''
    add_header Strict-Transport-Security    $hsts_header;
    add_header X-Content-Type-Options       "nosniff" always;
    add_header X-XSS-Protection             "1; mode=block" always;
    #add_header X-Frame-Options              "SAMEORIGIN" always;
    add_header Referrer-Policy              "same-origin" always;
  '';
  proxyConfig = ''
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Protocol $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
  '';
  jellyAddr = "[::1]";
  jellyWeb = {
    forceSSl = true;
    http3 = true;
    quic = true;
    inherit extraConfig;

    locations = {
      "= /".return = "302 https://$host/web/";
      "/" = {
        proxyPass = "http://${jellyAddr}:8096";
        extraConfig = ''
          ${proxyConfig}
          proxy_buffering on;
        '';
      };
      "= /web/" = {
        proxyPass = "http://${jellyAddr}:8096/web/index.html"
        extraConfig = proxyConfig;
      };
      "/socket" = {
        proxyPass = "http://${jellyAddr}:8096"
        proxyWebsockets = true;
        extraConfig = proxyConfig;
      };
    };
  };
in {
  services.nginx = {
    virtualHosts = {
      "fentanyl.trade" = jellyWeb // {
        enableACME = true;
      };
      "frotti.ng" = jellyWeb // {
        useACMEHost = "fentanyl.trade";
      };
    };
    createHost = {
      "watch.kyouma.net" = { redirectTo = "fentanyl.trade"; };
      "redirect" = {
        default = true;
        reuseport = true;
        useACMEHost = "fentanyl.trade";
        extraConfig = ''
          return 403;
        '';
      };
    };
  };
  security.acme.certs = {
    "fentanyl.trade" = { extraDomainNames = [ "frotti.ng" "watch.kyouma.net" ]; };
  };
}