{ config, lib, ... }:

with lib;
let
  cfg = config.modules.services.nginx;
in
{
  options.modules.services.nginx = {
    enable = mkEnableOption "nginx proxy";
  };
  config = mkIf cfg.enable {
    modules.services.acme.enable = true;

    services.nginx = {
      enable = true;
      # prevent 3~5s downtime on update
      enableReload = true;

      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;

      # catch-all for unknown hosts.
      virtualHosts."_" = {
        default = true;
        rejectSSL = true;

        extraConfig = ''
          return 444;
        '';
      };
    };

    users.extraUsers.nginx.extraGroups = [ "acme" ];
  };
}