{ lib, pkgs, config, inputs, ... }: let
  tsHost = name: port: "${name}.hoki-porgy.ts.net:${toString port}";
  flakePackage = flake: inputs.${flake}.packages.${pkgs.system}.default;
in {
  imports = [
    ../../templates/proxmox-lxc.nix
    ../../server.nix
    ../../features/dns-cache.nix
    ../../features/nginx.nix
    ../../features/telemetry/nginx.nix
  ];

  networking.hostName = "ingress-proxy";
  system.stateVersion = "24.05"; 
  nixpkgs.hostPlatform = "x86_64-linux";
  
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  networking.firewall.allowedUDPPorts = [ 80 443 ];

  services.nginx = {
    recommendedBrotliSettings = true;
    recommendedGzipSettings = true;
    recommendedZstdSettings = true;
    recommendedTlsSettings = true;
    recommendedProxySettings = true;

    clientMaxBodySize = "150m";
    
    upstreams = {
      ps2l_saerro.servers."${tsHost "ps2live" 8101}" = {};
      ps2l_aggpop.servers."${tsHost "ps2live" 8201}" = {};
      ps2l_metagame.servers."${tsHost "ps2live" 8301}" = {};
      pdr.servers."${tsHost "porcelain-doll-repair" 3000 }" = {};
    };

    proxyCachePath."pdr" = {
      enable = true;
      keysZoneSize = "16m";
      inactive = "720m";
    };


    virtualHosts = let
      defaultConfig = {
        listen = [
          { addr = "0.0.0.0"; port = 443; ssl = true; }
          { addr = "[::]"; port = 443; ssl = true; }
        ];    
        http2 = true;
        http3 = true;
        forceSSL = lib.mkDefault true;
        enableACME = true;
      };
      static = { src ? null, url ? null, rev ? null, aliases ? [] }: {
        serverAliases = aliases;

        root = if src != null then src else builtins.fetchGit { inherit url rev; };
      } // defaultConfig;
      placeholder = {
        locations."=/" = {
          root = pkgs.writeText "placeholder.html" "empty space -- this site is non-functional";
          extraConfig = ''
            default_type text/plain;
          '';
        };
      } // defaultConfig;

      mekanoesh = static { src = flakePackage "noe-sh"; };

      ps2live = upstream: {
        locations."/" = {
          proxyPass = "http://ps2l_${upstream}";
          proxyWebsockets = true;
        };
      } // defaultConfig;
    in {
      "mekanoe.com" = mekanoesh;

      "noe.sh" = mekanoesh;

      "oc.mekanoe.com" = placeholder // {
        serverAliases = [ "" ];
      };

      "kitsu.love" = static {
        url = "https://codeberg.org/Vivieraaa/kitsu-site.git";
        rev = "f669f68f1bf89c8f161627e994c9c865811964e8";
      };

      "agg.ps2.live" = ps2live "aggpop";
      "saerro.ps2.live" = ps2live "saerro";
      "metagame.ps2.live" = ps2live "metagame" // {
        serverAliases = [ "metagame-new.ps2.live" ];
      };

      "doll.repair" = static { src = flakePackage "doll-repair"; };
      "porcelain.doll.repair" = {

        locations."/" = {
          recommendedProxySettings = true;
          proxyPass = "http://pdr";
          proxyWebsockets = true;
          extraConfig = ''
            proxy_cache pdr;
            proxy_cache_lock on;
            proxy_cache_use_stale updating;
            add_header X-Cache $upstream_cache_status;
          '';
        };
      } // defaultConfig;
    };
  };

}