{ config, lib, ... }:

let
  inherit (lib) mkOption types mapAttrs concatMapStringsSep optionalString;
  cfg = config.pepe.core.vhost;
in
{
  options.pepe.core.vhost = {
    hosts = mkOption {
      type = types.attrsOf (types.submodule {
        options = {
          dnsInterfaces = mkOption {
            type = types.listOf types.str;
            default = [ ];
            description = "List of interfaces to add extra DNS hosts for this vhost.";
            example = "config.pepe.core.network.interfaceTypes.lan";
          };

          locations = mkOption {
            type = types.attrsOf (types.submodule {
              options = {
                extraConfig = mkOption {
                  type = types.str;
                  description = "Extra configuration for the location.";
                  default = "";
                };

                allowLan = mkOption {
                  type = types.bool;
                  default = false;
                };

                proxyWebsockets = mkOption {
                  type = types.bool;
                  default = false;
                };

                host = mkOption {
                  type = types.str;
                  description = "The host for the location.";
                  default = "127.0.0.1";
                };

                port = mkOption {
                  type = types.int;
                  description = "The port number for the location.";
                };

                allow = mkOption {
                  type = types.listOf types.str;
                  default = [ ];
                  description = "IP address or CIDR block to allow.";
                };

                allowVPN = mkOption {
                  type = types.bool;
                  default = false;
                  description = "If set to true, allow VPN traffic.";
                };

                allowLAN = mkOption {
                  type = types.bool;
                  default = false;
                  description = "If set to true, allow LAN traffic.";
                };

                allowWAN = mkOption {
                  type = types.bool;
                  default = false;
                  description = "If set to true, allow WAN traffic. If false, deny all WAN traffic.";
                };

                path = mkOption {
                  type = types.str;
                  default = "";
                };

                recommendedProxySettings = mkOption {
                  type = types.bool;
                  default = true;
                  description = "Force the use of recommended proxy configuration.";
                };
              };
            });
            default = { };
            description = "An attribute set of location configurations.";
          };
        };
      });
      default = { };
      description = "An attribute set of domain configurations.";
    };
  };

  config = {
    services.nginx.virtualHosts = mapAttrs
      (domain: conf: {
        forceSSL = true;
        useACMEHost= "giugl.io";
        locations = mapAttrs
          (path: location: {
            proxyPass = "http://${location.host}:${toString location.port}${location.path}";
            proxyWebsockets = location.proxyWebsockets;
            recommendedProxySettings = location.recommendedProxySettings;
            extraConfig = ''
              ${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow}
              ${optionalString location.allowLAN ''allow ${config.pepe.core.network.interfaces.${config.pepe.core.network.interfaceTypes.lan}.net};''}
              ${optionalString location.allowVPN ''allow ${config.pepe.core.network.interfaces.${config.pepe.core.network.interfaceTypes.vpn}.net};''}
              ${optionalString (!location.allowWAN) "deny all;"}
            '' + location.extraConfig;
          })
          conf.locations;
      })
      cfg.hosts;
  };
}