{ config, lib, options, pkgs, ... }:

# I added this reverse proxy for, at first, use with Jellyfin. It sets up TLS automagically
#   1. https://caddyserver.com/docs/quick-starts/https
#   2. https://caddyserver.com/docs/automatic-https

let
    httpPort = 8090;
    httpsPort = 8443;

    jellyfinPort = 8096;
in {

    environment.systemPackages = [
        pkgs.nss.tools
    ];

    services.caddy = {
        enable = true;

        # # pass secrets to the service without adding them to the world-redable nix store.
        environmentFile = "/etc/secrets/caddy.env";

        logFormat = ''
            level DEBUG
        '';

        # https://caddyserver.com/docs/caddyfile/options
        globalConfig = ''
            debug
            email {$EMAIL}
            grace_period 5s
            http_port ${toString httpPort}
            https_port ${toString httpsPort}
        '';

        # https://caddyserver.com/docs/caddyfile
        # https://caddyserver.com/docs/caddyfile/concepts
        # https://caddyserver.com/docs/caddyfile/patterns
        # https://caddyserver.com/docs/caddyfile/directives/reverse_proxy
        virtualHosts = {
            "*.brunofauth.onthewifi.com".extraConfig = ''
                # respond "Hello, world!"
                reverse_proxy 127.0.0.1:${toString jellyfinPort}
            '';
            "192.168.0.58".extraConfig = ''
                reverse_proxy 127.0.0.1:${toString jellyfinPort}
            '';
        };

        # # If you enable this option, consider setting `grace_period` to a non-infinite value in
        # # services.caddy.globalConfig (https://caddyserver.com/docs/caddyfile/options#grace-period)
        enableReload = true;
    };

    systemd.services.caddy.path = [
        "${pkgs.nss.tools}/bin"
    ];

    networking.firewall.allowedTCPPorts = [ httpPort httpsPort ];
}