{ config, lib, ... }:
let
  cfg = config.services.nitter;
in
{
  services.nitter = {
    enable = true;
    server = {
      port = 8081;
      hostname = "nitter.sbruder.xyz";
      address = "127.0.0.1";
    };
    preferences = {
      theme = "Auto";
      replaceTwitter = "${cfg.server.hostname}";
      muteVideos = true;
      hlsPlayback = true;
      replaceYouTube = "${config.services.invidious.domain}";
    };
  };

  services.nginx.virtualHosts.${cfg.server.hostname} = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/robots.txt".return = "200 'User-agent: *\\nDisallow: /'";
      "/" = {
        proxyPass = "http://${cfg.server.address}:${toString cfg.server.port}";
        extraConfig =
          let
            # workaround for nginx dropping parent headers
            # see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
            parentHeaders = lib.concatStringsSep "\n" (lib.filter
              (lib.hasPrefix "add_header ")
              (lib.splitString "\n" config.services.nginx.commonHttpConfig));
          in
          ''
            ${parentHeaders}
            add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' blob:; style-src 'self' 'unsafe-inline'";
          '';
      };
    };
  };
}