{config, lib, pkgs, ...}:

{
  networking.firewall.allowedTCPPorts = [
    80 # HTTP
    443 # HTTPs
  ];

  services.netdata = {
    enable = true;
  };

  # Enable nginx service
  services.nginx = {
    enable = true;

    # Use recommended settings
    # Don't use recommended Proxy settings because it does funky things with the setup
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedTlsSettings = true;
    virtualHosts."${config.networking.hostName}.live.hacc.media" = {
      locations = {
        "/" = {
          return = "301 \"http://$cdnhosts$request_uri\"";
          extraConfig = ''
            auth_basic off;
          '';
        };
        "/stats" = {
          return = "301 /stats/";
        };
        "~ /stats/(?<ndpath>.*)" = {
          proxyPass = "http://127.0.0.1:19999/$ndpath$is_args$args";
          extraConfig = ''
            proxy_redirect off;
            proxy_set_header Host $host;

            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_http_version 1.1;
            proxy_pass_request_headers on;
            proxy_set_header Connection "keep-alive";
            proxy_store off;

            gzip on;
            gzip_proxied any;
            gzip_types *;
          '';
        };
      };
      forceSSL = true;
      enableACME = true;
    };
    appendHttpConfig = ''
      split_clients "$remote_addr" $cdnhosts {
        50% "cdn-node-1.live.hacc.media";
        50% "cdn-node-2.live.hacc.media";
      }
    '';
  };
}