{ pkgs, lib, config, ... }:
let

  cfg = config.mods.server.nginx;

in with lib; {
  options.mods.server.nginx = {
    enable = mkEnableOption {
      default = false;
      description = "enables nginx reverse proxy";
    };

    ip = mkOption {
      type = types.str;
      default = "10.0.0.3";
    };

    domain = mkOption {
      type = types.str;
      default = "muon.host";
    };

    hosts = mkOption {
      type = types.attrsOf (types.ints.u16);
      default = { };
    };
  };

  config = mkIf cfg.enable {
    # ACME won't be able to authenticate your domain
    # if ports 80 & 443 aren't open in your firewall.
    networking.firewall = { allowedTCPPorts = [ 443 80 ]; };
    security.acme.defaults.email = "acme@muon.host";
    security.acme.acceptTerms = true;

    services.nginx = {
      enable = true;

      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;

      # Only allow PFS-enabled ciphers with AES256
      # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

      appendHttpConfig = ''
        # Add HSTS header with preloading to HTTPS requests.
        # Adding this header to HTTP requests is discouraged
        # map $scheme $hsts_header {
            # https   "max-age=31536000; includeSubdomains; preload";
        # }
        # add_header Strict-Transport-Security $hsts_header;

        # Enable CSP for your services.
        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

        # Minimize information leaked to other domains
        add_header 'Referrer-Policy' 'origin-when-cross-origin';

        # Disable embedding as a frame
        add_header X-Frame-Options DENY;

        # Prevent injection of code in other mime types (XSS Attacks)
        add_header X-Content-Type-Options nosniff;

        # This might create errors
        # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";

        # required when the server wants to use HTTP Authentication
        proxy_pass_header Authorization;
      '';

      virtualHosts = let
        base = locations: {
          inherit locations;

          forceSSL = true;
          enableACME = true;
        };
        proxy = port:
          base {
            "/".proxyPass = cfg.ip + toString port + "/";
            default = true;
          };
      in mapAttrs'
      (name: port: nameValuePair ("${name}.${cfg.domain}") (proxy port))
      cfg.hosts;
    };
  };
}