{ config, self, ... }:
let
  inherit (config.networking) fqdn;

  mkVhost =
    attrs: locations:
    let
      acmeEnabled = config.acme.enable;
    in
    {
      forceSSL = acmeEnabled;
      useACMEHost = if acmeEnabled then fqdn else null;

      locations = {
        "= /robots.txt" = {
          alias = disallowedRobotsTxt;
        };
      }
      // locations;
    }
    // attrs;

  mkProxy = port: {
    proxyPass = "http://127.0.0.1:${toString port}/";

    extraConfig = ''
      proxy_buffering off;
      proxy_request_buffering off;
    '';
  };

  mkSsi = webRoot: {
    root = webRoot;

    extraConfig = ''
      ssi on;
    '';
  };

  disallowedRobotsTxt = builtins.toFile "robots.txt" ''
    User-agent: *
    Disallow: /
  '';
in
{
  services.nginx = {
    enable = true;

    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    recommendedGzipSettings = true;
    recommendedOptimisation = true;

    virtualHosts = {
      "${fqdn}" = mkVhost { default = true; } {
        "/" = mkSsi "${self.pins.website}/web-root";
      };

      "git.${fqdn}" = mkVhost { } {
        "/" = mkProxy config.services.forgejo.settings.server.HTTP_PORT;
      };
    };
  };

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
}