{ config, lib, ... }:
let
  cfg = config.sbruder.nginx;
in
{
  options.sbruder.nginx = {
    hardening.enable = lib.mkEnableOption "nginx hardening";
    privacy.enable = (lib.mkEnableOption "nginx privacy options") // { default = true; };
  };

  config = lib.mkMerge [
    (lib.mkIf cfg.hardening.enable {
      services.nginx.commonHttpConfig = ''
        map $scheme $hsts_header {
          https   "max-age=31536000";
        }
        add_header Strict-Transport-Security $hsts_header;

        add_header Referrer-Policy strict-origin;
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options SAMEORIGIN;
      '';
    })
    (lib.mkIf cfg.privacy.enable {
      services.nginx.commonHttpConfig = ''
        access_log off;
      '';
    })
  ];
}