{ services, pkgs, lib, ... }:

{
  services.nginx = {
    enable = true;
    package = pkgs.openresty;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts."architect.devs.giugl.io" = {
      default = true;
      enableACME = true;
      addSSL = true;
      root = "/var/lib/nginx/error_pages";
      extraConfig = "error_page 404 /index.htm;";

      locations = {
        "/" = { return = "404"; };

        "/index.htm" = { };

        "/style.css" = { };

        "/wat.jpg" = { };
      };
    };
    appendHttpConfig = let
      extraPureLuaPackages = with pkgs.luajitPackages; [
        lua-resty-openidc
        lua-resty-http
        lua-resty-session
        lua-resty-jwt
        lua-resty-openssl
      ];
      luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
      makeLuaPath = lib.concatMapStringsSep ";" luaPath;
    in ''
      lua_package_path '${makeLuaPath extraPureLuaPackages};;';
      lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
      lua_ssl_verify_depth 5;

      # cache for OIDC discovery metadata
      lua_shared_dict discovery 1m;
      lua_shared_dict jwks 1m;

      # https://github.com/openresty/lua-resty-redis/issues/159
      resolver local=on ipv6=off;

      init_worker_by_lua_block {
        function check_role (res, role)
          if res.user.roles == nil then
            return false
          end

          for _,v in pairs(res.user.roles) do
            if string.lower(v) == role then
              return true
            end
          end

          return false
        end
      }
    '';

    appendConfig = ''
      worker_processes 24;
    '';
  };
  users.groups.acme.members = [ "nginx" ];
}