##############################################################################################
# Includes:                                                                                  #
#   - Nginx + SSL config                                                                     #
#   - Gitea                                                                                  #
#   - Hydra                                                                                  #
#   - Nextcloud                                                                              #
#   - Mail ssl root                                                                          #
##############################################################################################
{
  options,
  config,
  lib,
  pkgs,
  ...
}:
with lib;
with builtins;
  mkIf (elem "nginx" config.machine.services) {
    services.nginx = let
      vHostConfigs = listToAttrs (map
        (name: {
          name = replaceStrings [".nix"] [""] name;
          value = import (./. + (toPath "/nginx_vHosts/${name}")) {inherit options config lib pkgs;};
        })
        (attrNames (readDir ./nginx_vHosts)));

      mkVHost = vHost: {
        name = vHost.domain;
        value =
          {
            enableACME = true;
            forceSSL = true;
            acmeRoot = "/var/lib/acme/acme-challenge";
          }
          // vHostConfigs."${vHost.service}";
      };

      vHosts = listToAttrs (map mkVHost config.machine.vHosts);
    in {
      enable = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
      sslProtocols = "TLSv1.3 TLSv1.2";
      commonHttpConfig = ''
        map $scheme $hsts_header {
            https   "max-age=31536000; includeSubdomains; preload";
        }
        add_header Strict-Transport-Security $hsts_header;
        add_header 'Referrer-Policy' 'origin-when-cross-origin';
        # add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
      '';
      virtualHosts = vHosts;
    };
  }