# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

{ config, lib, ... }:
let
  cfg = config.sbruder.wkd;

  toFqdn = domain: "openpgpkey.${domain}";
in
{
  options.sbruder.wkd = {
    enable = lib.mkEnableOption "Web Key Directory";
    domain = lib.mkOption {
      type = lib.types.str;
      description = "The main domain to listen on. The actual fqdn will be openpgpkey.<domain>.";
      default = "sbruder.de";
    };
    domains = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      description = "Additional domains to serve.";
      default = [ ];
    };
  };

  config = lib.mkIf cfg.enable {
    sbruder.static-webserver.vhosts."${toFqdn cfg.domain}" = {
      redirects = map toFqdn cfg.domains;
      user.name = "wkd";
    };

    services.nginx.virtualHosts."${toFqdn cfg.domain}" = {
      locations."^~ /.well-known/openpgpkey" =
        let
          # workaround for nginx dropping parent headers
          # see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
          parentHeaders = lib.concatStringsSep "\n" (lib.filter
            (lib.hasPrefix "add_header ")
            (lib.splitString "\n" config.services.nginx.commonHttpConfig));
        in
        {
          extraConfig = ''
            ${parentHeaders}
            add_header Access-Control-Allow-Origin * always;
          '';
        };
    };
  };
}