flake/modules/nixos/server/lemmy.nix

{ pkgs, lib, config, ... }:
let
  inherit (lib) mkEnableOption;
  cfg = config.mods.server.lemmy;
  port = config.mods.server.local.ports.lemmy-api;
  port-ui = config.mods.server.local.ports.lemmy-ui;
  port-pict = config.mods.server.local.ports.pict-rs;
  hostname = "lemmy.muon.host";
  bind = "0.0.0.0";
in {
  options.mods.server.lemmy = {
    enable = mkEnableOption {
      default = false;
      description = "enables lemmy engine server";
    };
  };

  config = {
    services.lemmy = lib.mkIf cfg.enable {
      enable = true;

      ui.port = port-ui;

      settings = { inherit port hostname bind; };

      database.createLocally = true;
    };

    systemd.services.lemmy-ui = lib.mkIf cfg.enable {
      environment = lib.mkForce {
        LEMMY_UI_HOST = "${bind}:${toString port-ui}";
        LEMMY_UI_LEMMY_INTERNAL_HOST = "${bind}:${toString port}";
        LEMMY_UI_LEMMY_EXTERNAL_HOST = hostname;
        LEMMY_UI_HTTPS = "false";
        NODE_ENV = "production";
      };
    };

    services.pict-rs = lib.mkIf cfg.enable {
      enable = true;
      port = port-pict;
      address = "0.0.0.0";
    };

    services.nginx.virtualHosts."${hostname}" = let
      ui = "http://10.0.0.3:${toString port-ui}";
      backend = "http://10.0.0.3:${toString port}";
    in lib.mkIf config.mods.server.nginx.enable {
      forceSSL = true;
      enableACME = true;
      locations = {
        "~ ^/(api|pictrs|feeds|nodeinfo|.well-known)" = {
          # backend requests
          proxyPass = backend;
          proxyWebsockets = true;
          recommendedProxySettings = true;
        };
        "/" = {
          # mixed frontend and backend requests, based on the request headers
          extraConfig = ''
            set $proxpass "${ui}";
            if ($http_accept = "application/activity+json") {
              set $proxpass "${backend}";
            }
            if ($http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") {
              set $proxpass "${backend}";
            }
            if ($request_method = POST) {
              set $proxpass "${backend}";
            }

            # Cuts off the trailing slash on URLs to make them valid
            rewrite ^(.+)/+$ $1 permanent;

            proxy_pass $proxpass;
            # Proxied `Host` header is required to validate ActivityPub HTTP signatures for incoming events.
            # The other headers are optional, for the sake of better log data.
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          '';
        };
      };
    };
  };
}