{ config, lib, pkgs, private_assets, ... }:
let
  # todo create flake for this
  errorPages = pkgs.fetchFromGitHub {
    owner = "mrvandalo";
    repo = "http-errors";
    rev = "74b8e4c1d9bbba3db6ad858b888e1867318af1f0";
    sha256 = "0czdzafx4k76q773lyf3vsjm74g1995iz542dhw15kpy5xbivsrg";
  };
  error = {
    extraConfig = ''
      error_page 400 /errors/400.html;
      error_page 401 /errors/401.html;
      error_page 402 /errors/402.html;
      error_page 403 /errors/403.html;
      error_page 404 /errors/404.html;
      error_page 405 /errors/405.html;
      error_page 406 /errors/406.html;
      error_page 500 /errors/500.html;
      error_page 501 /errors/501.html;
      error_page 502 /errors/502.html;
      error_page 503 /errors/503.html;
      error_page 504 /errors/504.html;
    '';
    locations."^~ /errors/" = {
      extraConfig = "internal;";
      root = "${errorPages}/";
    };
  };
in

{
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  networking.firewall.allowedUDPPorts = [ 80 443 ];


  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts = {

      "ingolf-wagner.de" = {
        forceSSL = true;
        enableACME = true;
        extraConfig = error.extraConfig;
        root = "/srv/www/ingolf-wagner.de";
        locations = {
          "/" = { };
          "= /pgp.key" = {
            alias = pkgs.writeText "key" (lib.fileContents ../../assets/pgp.key);
          };
          "= /gpg.key" = {
            alias = pkgs.writeText "key" (lib.fileContents ../../assets/pgp.key);
          };
          "= /ssh.key" = {
            alias = pkgs.writeText "key" (lib.fileContents ../../assets/ssh/card_rsa.pub);
          };
        } // error.locations;
      };

      "stable-diffusion.ingolf-wagner.de" = {
        forceSSL = true;
        enableACME = true;
        extraConfig = error.extraConfig;
        root = "/srv/www/stable-diffusion";
        locations = {
          "/model-v1-4.ckpt" = {
            basicAuthFile = "${private_assets}/stable-diffusion-htpasswd";
            tryFiles = "/stable-diffusion-v-1-4-original/sd-v1-4.ckpt =404";
          };
          #"/model-v1-3.ckpt" = {
          #  basicAuthFile = "${private_assets}/stable-diffusion-htpasswd";
          #  tryFiles = "stable-diffusion-v-1-3-original/sd-v1-3.ckpt";
          #};
        } // error.locations;
      };
      "travel.ingolf-wagner.de" = {
        forceSSL = true;
        enableACME = true;
        extraConfig = error.extraConfig;
        locations = {
          "/" = {
            root = "/srv/www/travel";
            extraConfig = ''
              if (-d $request_filename) {
                rewrite [^/]$ $scheme://$http_host$request_uri/ permanent;
              }
            '';
          };
        } // error.locations;
      };
      "tech.ingolf-wagner.de" = {
        forceSSL = true;
        enableACME = true;
        extraConfig = error.extraConfig;
        locations = {
          "/" = {
            root = "/srv/www/tech";
            extraConfig = ''
              if (-d $request_filename) {
                rewrite [^/]$ $scheme://$http_host$request_uri/ permanent;
              }
            '';
          };
        } // error.locations;
      };
      "terranix.org" = {
        forceSSL = true;
        enableACME = true;
        extraConfig = error.extraConfig;
        locations = {
          "/" = {
            root = "/srv/www/terranix";
            extraConfig = ''
              if (-d $request_filename) {
                rewrite [^/]$ $scheme://$http_host$request_uri/ permanent;
              }
            '';
          };
        } // error.locations;
      };
    };
  };
}