inputs:

{ config, ... }:

{
  services.nginx = {
    enable = true;

    # For the prometheus exporter
    statusPage = true;

    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    # commonHttpConfig = ''
    #   # Add HSTS header with preloading to HTTPS requests.
    #   # Adding this header to HTTP requests is discouraged
    #   map $scheme $hsts_header {
    #       https   "max-age=31536000; includeSubdomains; preload";
    #   }
    #
    #   add_header Strict-Transport-Security $hsts_header;
    #
    #   add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
    #
    #   add_header X-Frame-Options DENY;
    #
    #   add_header X-Content-Type-Options nosniff;
    #
    #   # Better to setup CSP, but nice default nonetheless
    #   add_header X-XSS-Protection "1; mode=block";
    # '';

    sslDhparam = config.security.dhparams.params.nginx.path;
  };

  security.dhparams = {
    enable = true;
    params = {
      nginx = { };
    };
  };

  services.prometheus.exporters.nginx = {
    enable = true;
    listenAddress = "[${config.topology.mainVpn.currentNodeIP}]";
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  networking.firewall.interfaces.${config.topology.mainVpn.interfaceName}.allowedTCPPorts = [
    config.services.prometheus.exporters.nginx.port
  ];
}