{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  host = config.fudo.hosts."${hostname}";
  domainName = host.domain;
  domain = config.fudo.domains."${domainName}";

  zone = domain.zone;

  autheliaHostname = "authelia.fudo.link";

  autheliaHost = "nostromo";
  gatewayHost = "limina";

  autheliaFqdn = pkgs.lib.getHostFqdn autheliaHost;

  autheliaPort = 7065;

  isAuthelia = hostname == autheliaHost;
  isProxy = hostname == gatewayHost;

  hostSecrets = config.fudo.secrets.host-secrets."${hostname}";

in {
  config = {
    fudo.zones."${zone}".aliases.authelia = autheliaHost;

    services = {
      authelia.instances.seattle = mkIf isAuthelia {
        enable = true;
        settings = {
          server.port = autheliaPort;
          default_2fa_method = "webauthn";
        };
        secrets = {
          jwtSecretFile =
            config.fudo.secrets.files.service-secrets."${hostname}"."authelia.jwt";
          storageEncryptionKeyFile =
            config.fudo.secrets.files.service-secrets."${hostname}"."authelia.storage";
        };
      };

      nginx = mkIf (isProxy || isAuthelia) {
        enable = true;
        recommendedOptimisation = true;
        recommendedProxySettings = true;

        virtualHosts = {
          # "${keycloakHostname}" = mkIf isProxy {
          #   enableACME = true;
          #   forceSSL = true;
          #   locations."/" = {
          #     proxyPass = "http://keycloak.${domainName}:80";
          #     proxyWebsockets = true;
          #   };
          # };
          "authelia.${domainName}" = mkIf isAuthelia {
            enableACME = false;
            forceSSL = false;
            locations."/" = {
              proxyPass = "http://localhost:${toString autheliaPort}";
              proxyWebsockets = true;
            };
          };
        };
      };
    };
  };
}