nixos/nixos/hosts/ingress-proxy/default.nix

{ lib, pkgs, config, inputs, ... }: let
  tsHost = name: port: "${name}.hoki-porgy.ts.net:${toString port}";
  flakePackage = flake: inputs.${flake}.packages.${pkgs.system}.default;
in {
  imports = [
    ../../templates/proxmox-lxc.nix
    ../../server.nix
    ../../features/dns-cache.nix
    ../../features/nginx.nix
    ../../features/telemetry/nginx.nix
  ];

  networking.hostName = "ingress-proxy";
  system.stateVersion = "24.05"; 
  nixpkgs.hostPlatform = "x86_64-linux";
  
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  networking.firewall.allowedUDPPorts = [ 80 443 ];

  services.nginx = {
    package = pkgs.tengine;

    recommendedBrotliSettings = true;
    recommendedGzipSettings = true;
    recommendedZstdSettings = true;
    recommendedTlsSettings = true;
    recommendedProxySettings = true;

    clientMaxBodySize = "150m";
    
    upstreams = {
      ps2l_saerro.servers."${tsHost "ps2live" 8101}" = {};
      ps2l_aggpop.servers."${tsHost "ps2live" 8201}" = {};
      ps2l_metagame.servers."${tsHost "ps2live" 8301}" = {};
      pdr.servers."${tsHost "porcelain-doll-repair" 3000}" = {};
      se.servers."${tsHost "sapphic-engineer" 4000}" = {};
      git.servers."${tsHost "git" 3000}" = {};
    };

    proxyCachePath."pdr" = {
      enable = true;
      keysZoneSize = "16m";
      keysZoneName = "pdr";
      inactive = "720m";
    };

    proxyCachePath."se" = {
      enable = true;
      keysZoneSize = "16m";
      keysZoneName = "se";
      inactive = "720m";
    };

    virtualHosts = let
      defaultConfig = {
        listen = [
          { addr = "0.0.0.0"; port = 80; }
          { addr = "0.0.0.0"; port = 443; ssl = true; }
          { addr = "[::]"; port = 80; }
          { addr = "[::]"; port = 443; ssl = true; }
        ];    
        http2 = true;
        http3 = true;
        forceSSL = lib.mkDefault true;
        enableACME = true;
      };
      static = { src ? null, url ? null, rev ? null, aliases ? [] }: {
        serverAliases = aliases;

        root = if src != null then src else builtins.fetchGit { inherit url rev; };
      } // defaultConfig;
      placeholder = {
        locations."=/" = {
          root = pkgs.writeText "placeholder.html" "empty space -- this site is non-functional";
          extraConfig = ''
            default_type text/plain;
          '';
        };
      } // defaultConfig;

      mekanoesh = static { src = flakePackage "noe-sh"; };

      ps2live = upstream: {
        locations."/" = {
          proxyPass = "http://ps2l_${upstream}";
          proxyWebsockets = true;
        };
      } // defaultConfig;
    in {
      "mekanoe.com" = mekanoesh;
      "noe.sh" = mekanoesh;

      "foxxolay.com" = static {
        url = "https://github.com/foxxolay/foxxolay.com.git";
        rev = "d7b00d742d9f209c0be569aa95abfa32c42cc1c3";
      } // { forceSSL = false; };

      "git.foxxolay.com" = {
        locations."/" = {
          recommendedProxySettings = true;
          proxyPass = "http://git";
        };
      } // defaultConfig // { forceSSL = false; };

      "kitsu.love" = static {
        url = "https://codeberg.org/Vivieraaa/kitsu-site.git";
        rev = "f669f68f1bf89c8f161627e994c9c865811964e8";
      };

      "agg.ps2.live" = ps2live "aggpop";
      "saerro.ps2.live" = ps2live "saerro";
      "metagame.ps2.live" = ps2live "metagame";

      "doll.repair" = static { src = flakePackage "doll-repair"; } // { forceSSL = false; };
      "porcelain.doll.repair" = {
        # serverAliases = ["p.doll.repair"]; # Media Proxy
        locations."/" = {
          recommendedProxySettings = true;
          proxyPass = "http://pdr";
          proxyWebsockets = true;
          extraConfig = ''
            proxy_cache pdr;
            proxy_cache_lock on;
            proxy_cache_use_stale updating;
            add_header X-Cache $upstream_cache_status;
          '';
        };
      } // defaultConfig // { forceSSL = false; };

      "sapphic.engineer" = {
        # serverAliases = ["p.sapphic.engineer"];

        locations."/" = {
          recommendedProxySettings = true;
          proxyPass = "http://se";
          proxyWebsockets = true;
          extraConfig = ''
            proxy_request_buffering off;
          '';
        };

        locations."/proxy" = {
          recommendedProxySettings = true;
          proxyPass = "http://se";

          extraConfig = ''
            proxy_request_buffering off;
            proxy_cache se;
            slice 1m;
            proxy_cache_key $host$uri$is_args$args$slice_range;
            proxy_set_header Range $slice_range;
            proxy_buffering on;
            proxy_cache_lock on;
            proxy_ignore_client_abort on;
            proxy_cache_valid 200 1y;
            proxy_cache_valid 206 301 304 1h;
            proxy_cache_use_stale error timeout invalid_header updating;
          '';
        };
      } // defaultConfig // { forceSSL = false; };
    };
  };

}