{ config, ... }:

{
  sops.secrets = {
    media-htpasswd.owner = "nginx";
    media-proxy-auth.owner = "nginx";
    media-sb-proxy-auth = {
      owner = "nginx";
      sopsFile = ../secrets.yaml;
    };
  };

  services.nginx.virtualHosts."media-sb.sbruder.de" = {
    enableACME = true;
    forceSSL = true;

    basicAuthFile = config.sops.secrets.media-htpasswd.path;

    locations = {
      "/" = {
        extraConfig = ''
          rewrite ^(.*/)$ /__regular$1 last;
          rewrite ^(.*\\.[^/]*)$ /__storagebox$1 last;
        '';
      };
      "/__nginx-interactive-index-assets__/".alias = "${builtins.filterSource
        (path: type: baseNameOf path != "default.nix")
        ../../../modules/nginx-interactive-index}/";

      "/__regular/" = {
        extraConfig = ''
          internal;
          proxy_pass https://media.sbruder.de/;
          include ${config.sops.secrets.media-proxy-auth.path};
          proxy_buffering off;
        '';
      };
      "/__storagebox/" = {
        extraConfig = ''
          internal;
          proxy_pass https://u313368-sub3.your-storagebox.de/;
          proxy_set_header Host u313368-sub3.your-storagebox.de;
          include ${config.sops.secrets.media-sb-proxy-auth.path};
          proxy_buffering off;
        '';
      };
    };
  };
}