{ config, pkgs, ... }:
let
  inherit (import ./lib.nix config) mkContainer localHostRule terakoda;

  nginxConf = pkgs.writeText "dm-companion-nginx.conf" ''
    user  nginx;
    worker_processes  auto;

    # error.log is symlinked to /dev/stderr
    error_log  /var/log/nginx/error.log notice;
    pid        /run/nginx.pid;

    events {
        worker_connections  1024;
    }

    http {
      include       /etc/nginx/mime.types;
      default_type  application/octet-stream;

      log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                        '$status $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';

      # access.log is symlinked to /dev/stdout
      access_log  /var/log/nginx/access.log  main;

      sendfile        on;

      keepalive_timeout  65;

      gzip  on;

      server {
        listen       80;
        server_name  dm.blazestar.net;
        root /usr/share/nginx/html;

        # X-Frame-Options is to prevent from clickJacking attack
        add_header X-Frame-Options SAMEORIGIN;

        # disable content-type sniffing on some browsers.
        add_header X-Content-Type-Options nosniff;

        # This header enables the Cross-site scripting (XSS) filter
        add_header X-XSS-Protection "1; mode=block";

        add_header Referrer-Policy "no-referrer-when-downgrade";

        # Enables response header of "Vary: Accept-Encoding"
        # This lets the cache have different entries depending on the encoding, e.g. compression
        gzip_vary on;

        # Serve static files separately.
        location ~ ^/(robots.txt|manifest.json) {
          expires modified 1y;
          add_header Cache-Control "public";
          access_log off;
        }

        location / {
          try_files $uri $uri/ /index.html;
          index index.html;
          expires -1;
          add_header Cache-Control "no-store, no-cache, must-revalidate";
        }
      }
    }
  '';
in
{
  virtualisation.oci-containers.containers = {
    dm-companion-pocketbase =
      let
        hostName = "dm-pocketbase";
      in
      mkContainer {
        inherit hostName;
        image = "docker.havenisms.com/lazy-dm/pocketbase";
        domain = terakoda;
        port = 8080;
        volumes = [
          "/tank/web/dm.terakoda.com/pb_data:/pb/pb_data"
          "/tank/web/dm.terakoda.com/pb_migrations:/pb/pb_migrations:ro"
        ];
        environment = { };
        extraLabels = {
          "traefik.http.routers.${hostName}-api.rule" =
            "PathPrefix(`/api`) && ${localHostRule "dm" terakoda}";
          "traefik.http.routers.${hostName}-api.service" = "${hostName}";
        };
      };

    dm-companion = mkContainer {
      image = "nginx:alpine";
      hostName = "dm";
      domain = terakoda;
      port = 80;
      dependsOn = [
        "dm-companion-pocketbase"
      ];
      volumes = [
        "/tank/web/dm.terakoda.com/deployed:/usr/share/nginx/html:ro"
        "${nginxConf}:/etc/nginx/nginx.conf:ro"
      ];
    };
  };
}