{ config, lib, pkgs, ... }:

{
	security.acme = {
		acceptTerms = true;
		defaults.email = "jonashahn1@gmx.net";
		#defaults.dnsProvider = "route53";
		#defaults.dnsResolver = "2606:4700:4700::1111";
		certs = {
			"cloud.hahn1.one" = {
				webroot = "/var/lib/acme/.challenges";
				group = "nginx";
			};
		};
	};
	users.users.nginx.extraGroups = [ "acme" ];

	# Setting the port for nextcloud
	services.nginx = let
		# support for local vars
		mkDevCert = name: commonName:
			pkgs.runCommandLocal "${name}-dev-cert" { buildInputs = [ pkgs.openssl ]; } ''
			mkdir -p $out
			openssl req -x509 -newkey rsa:4096 -keyout $out/key.pem -out $out/cert.pem -days 3650 -nodes \
			-subj "/CN=${commonName}"
			'';

		# dev certs
		# collaboraCert = mkDevCert "collabora-misox-cert" "collabora.misox";
		# nextCert = mkDevCert "nextcloud-misox-cert" "nextcloud.misox";
		# defCert = mkDevCert "default-misox-cert" "misox";

		# default domain to use in the configuration
		domain = "hahn1.one";
	in {
		# enable nginx
		enable = true;
		recommendedProxySettings = true;
		recommendedOptimisation = true;
		recommendedGzipSettings = true;

		# setup virtual hosts
		virtualHosts = {
			# Expose nextcloud
			# this is how to setup a dev cert route with ssl
			#"${config.services.nextcloud.hostName}" = {
			#	enableACME = false;
			#	forceSSL = true;

			#	sslCertificate = "${nextCert}/cert.pem";
			#	sslCertificateKey = "${nextCert}/key.pem";
			#};

			"${config.services.nextcloud.hostName}" = {
				enableACME = true;
				addSSL = true;
			};

			"grafana.${domain}" = {
				enableACME = true;
				addSSL = true;

				# this is to create a default listener
				#listen = [{ addr = "0.0.0.0"; port = grafana_port;}];
				locations."/" = {
					proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
					proxyWebsockets = true;
				};
			};
			"acmechallenge.${domain}" = {
				# Catchall vhost, will redirect users to HTTPS for all vhosts
				serverAliases = [ "*.example.com" ];
				locations."/.well-known/acme-challenge" = {
					root = "/var/lib/acme/.challenges";
				};
				locations."/" = {
					return = "301 https://$host$request_uri";
				};
			};
			"cool.${domain}" = {
				enableACME = true;
				addSSL = true;


				locations."/" = {
					proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
					proxyWebsockets = true;
				};
			};
			# This is the last and therefor occupies the http://misox?
			# NO!
			"${domain}" = {
				default = true;
				enableACME = true;
				addSSL = true;

				locations."/" = {
					root = "${pkgs.nginx}/html";
					index = "index.html";
				};

			};
		};
	};

}