{ config, pkgs, ... }:

let
  cfg = config.services.hedgedoc.settings;
in
{
  services.nginx.virtualHosts."${config.networking.hostName}.${config.networking.domain}" = {
    default = true;
    quic = true;
    kTLS = true;
    forceSSL = true;
    enableACME = true;
    locations = {
      "/" = {
        recommendedProxySettings = true;
        proxyPass = "http://${cfg.host}:${toString cfg.port}";
      };
      "/socket.io/" = {
        recommendedProxySettings = true;
        proxyWebsockets = true;
        proxyPass = "http://${cfg.host}:${toString cfg.port}";
      };
      "/metrics" = {
        recommendedProxySettings = true;
        proxyPass = "http://${cfg.host}:${toString cfg.port}";
        extraConfig = ''
          allow 195.160.173.14;
          allow 2001:678:760:cccb::14;
          deny all;
        '';
      };
      "/status" = {
        recommendedProxySettings = true;
        proxyPass = "http://${cfg.host}:${toString cfg.port}";
        extraConfig = ''
          allow 195.160.173.14;
          allow 2001:678:760:cccb::14;
          deny all;
        '';
      };
    };
  };
}