{ config, lib, ... }:

with lib; let
  cfg = config.kyouma.nginx.virtualHosts;
  extraConfig = ''
    add_header Strict-Transport-Security 	$hsts_header;
    #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
    add_header X-Content-Type-Options 	"nosniff" always;
    add_header X-XSS-Protection 		"1; mode=block" always;
    add_header X-Frame-Options 		"SAMEORIGIN" always;
    add_header Referrer-Policy 		"same-origin" always;
  '';
  virtHostCfg = {
    forceSSL = true;
    #kTLS = true;
    #http3 = true;
    #quic = true; 
  };
  createHostFunc = builtins.mapAttrs (vhostName: vhostCfg:
    with lib; let
      mkRedirect = if builtins.hasAttr "redirectTo" vhostCfg 
        then {
          useACMEHost = vhostCfg.redirectTo;
          globalRedirect = vhostCfg.redirectTo;
        } else (
          optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {
            enableACME = true;
        });
      extraCfg = if builtins.hasAttr "extraConfig" vhostCfg
        then { extraConfig = ''${vhostCfg.extraConfig} ${extraConfig}''; }
        else { inherit extraConfig; };
    in
    virtHostCfg // mkRedirect // extraCfg //
    (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ])
  );
in {
  options = {
    kyouma.nginx.virtualHosts = mkOption {
      type = with types; nullOr anything;
      default = null;
    };
  };
  config = {
    services.nginx.virtualHosts = mkIf (cfg != null) (createHostFunc (cfg));
  };
}