{ lib, pkgs, ... }: let
  tsHost = name: port: "${name}.hoki-porgy.ts.net:${toString port}"; 
in {
  imports = [
    ../../templates/proxmox-lxc.nix
    ../../server.nix
    ../../features/dns-cache.nix
    ../../features/nginx.nix
  ];

  networking.hostName = "ingress-proxy";
  system.stateVersion = "24.05"; 
  nixpkgs.hostPlatform = "x86_64-linux";
  
  networking.firewall.allowedTCPPorts = [ 80 443 8448 ];
  networking.firewall.allowedUDPPorts = [ 80 443 8448 ];

  services.nginx = {
    recommendedTlsSettings = true;
    
    upstreams = {
      mango.servers."${tsHost "mango" 6167}" = {};
      hsb.servers."${tsHost "happystaticbuzz" 8080}" = {};
    };

    virtualHosts = let
      static = { src ? null, url ? null, rev ? null, aliases ? [], name ? url }: {
        http2 = true;
        http3 = true;
        forceSSL = true;
        enableACME = true;

        serverAliases = aliases;

        root = pkgs.stdenvNoCC.mkDerivation {
          src = if src then src else pkgs.lib.fetchGit { inherit url rev name; };
          installPhase = "cp -r $src $out";
        };
      }; 
    in {
      # Matrix (main)
      "mx.sapphic.engineer" = {
        forceSSL = true;
        enableACME = true;
        http2 = true;
        http3 = true;

        listen = [
          { addr = "0.0.0.0"; port = 443; ssl = true; }
          { addr = "[::]"; port = 443; ssl = true; }
          { addr = "0.0.0.0"; port = 8448; ssl = true; }
          { addr = "[::]"; port = 8448; ssl = true; }
        ];

        locations."/_matrix/" = {
          proxyPass = "http://mango";
          proxyWebsockets = true;
          extraConfig = ''
            proxy_set_header Host $host;
            proxy_buffering off;
          '';
        };

        extraConfig = ''
          merge_slashes off;
          client_max_body_size 100M;
        '';
      };

      "happ.ystatic.buzz" = {
        forceSSL = true;
        enableACME = true;
        http2 = true;
        http3 = true;
        
        locations."/" = {
          proxyPass = "http://hsb";
          proxyWebsockets = true;
          #extraConfig = ''
          # proxy_set_header Host "happ.ystatic.buzz";
          #  proxy_set_header X-Forwarded-For $remote_addr;
          #  proxy_set_header X-Forwarded-Proto $scheme;
          #'';
        };
        extraConfig = ''
          client_max_body_size 40M;
        '';
      };

      "mekanoe.com" = static {
        url = "https://codeberg.org/noe/personal-site.git";
        rev = "8601d3a426bc07c715f265b2132b384c21397533";
      };

      "oc.mekanoe.com" = static {
        src = pkgs.writeText "oc.mekanoe.com" "down";
        name = "oc.mekanoe.com";
      };

      # Generic store for /.well-known/ paths.
      "well-known.sapphic.engineer" = {
        #serverAliases = [ "sapphic.engineer" ];
        forceSSL = false;
        enableACME = true;
        http2 = true;
        http3 = true;

        locations."=/.well-known/matrix/server" = let 
          alias = pkgs.writeText "well-known-matrix-server" (builtins.toJSON {
            "m.server" = "mx.sapphic.engineer";
          });
        in {
          alias = "${alias}";
          extraConfig = ''
            default_type application/json;
          '';
        };

        locations."=/.well-known/matrix/client" = let
          alias = pkgs.writeText "well-known-matrix-client" (builtins.toJSON {
            "m.homeserver" = {
              base_url = "https://mx.sapphic.engineer";
            };
          });
        in {
          alias = "${alias}";
          extraConfig = ''
            default_type application/json;
            add_header Access-Control-Allow-Origin "*";
          '';
        };
      };
    };
  };

}