{ services, pkgs, lib, ... }:

{
  services.nginx = {
    enable = true;
    package = pkgs.openresty;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts."architect.devs.giugl.io" = {
      default = true;
      enableACME = true;
      addSSL = true;
      root = "/var/lib/nginx/error_pages";
      extraConfig = "error_page 404 /index.htm;";

      locations = {
        "/" = { return = "404"; };

        "/index.htm" = { };

        "/style.css" = { };

        "/wat.jpg" = { };
      };
    };
    appendHttpConfig = let
      extraPureLuaPackages = with pkgs.luajitPackages; [ lua-resty-openidc ];
      luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
      makeLuaPath = lib.concatMapStringsSep ";" luaPath;
    in ''
      lua_package_path '${makeLuaPath extraPureLuaPackages};;';

      # cache for OIDC discovery metadata
      lua_shared_dict discovery 1m;
    '';

    appendConfig = ''
      worker_processes 24;
    '';
  };
  users.groups.acme.members = [ "nginx" ];
}