{ config, ... }:

let
  cfg = config.services.hedgedoc.settings;
in
{
  services.nginx.virtualHosts."md.${config.networking.domain}" = {
    default = true;
    quic = true;
    kTLS = true;
    forceSSL = true;
    enableACME = true;
    locations = {
      "/" = {
        proxyPass = "http://${cfg.host}:${toString cfg.port}";
        recommendedProxySettings = true;
        extraConfig = ''
          #add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; form-action 'self'; upgrade-insecure-requests;" always;
        '';
      };
      "/socket.io/" = {
        proxyPass = "http://${cfg.host}:${toString cfg.port}";
        proxyWebsockets = true;
        recommendedProxySettings = true;
      };
      "/metrics" = {
        proxyPass = "http://${cfg.host}:${toString cfg.port}";
        recommendedProxySettings = true;
        extraConfig = ''
          allow 195.160.173.14;
          allow 2001:678:760:cccb::14;
          deny all;
        '';
      };
      "/status" = {
        proxyPass = "http://${cfg.host}:${toString cfg.port}";
        recommendedProxySettings = true;
        extraConfig = ''
          allow 195.160.173.14;
          allow 2001:678:760:cccb::14;
          deny all;
        '';
      };
    };
  };
}