{lib, pkgs, config, ...}:

/* taken from https://github.com/jdheyburn/nixos-configs
no license
*/

with lib;
let
  cfg = config.modules.caddy;
  caddyMetricsPort = 2019;
  
  # Generate Caddyfile content from the proxy configuration
  generateCaddyfile = proxies: 
    let
      proxyEntries = mapAttrsToList (domain: upstream: ''
        ${domain} {
          reverse_proxy ${upstream}
          
          # Optional: Add some common headers for better proxying
          header_up Host {upstream_hostport}
          header_up X-Real-IP {remote_host}
          header_up X-Forwarded-For {remote_host}
          header_up X-Forwarded-Proto {scheme}
        }
      '') proxies;
    in
    concatStringsSep "\n\n" proxyEntries;
    
in
{
  options = {
    modules = {
      caddy = { 
        enable = mkEnableOption "Deploy Caddy";
        
        # New option for reverse proxy configuration
        reverseProxies = mkOption {
          type = types.attrsOf types.str;
          default = {};
          description = "Attribute set of domain to upstream mappings for reverse proxying";
          example = {
            "notes.nekomimi.pet" = "valefar:3009";
            "git.nekomimi.pet" = "morax:3000";
          };
        };
        
        # Optional: Allow custom Caddyfile content to be appended
        extraConfig = mkOption {
          type = types.lines;
          default = "";
          description = "Extra Caddyfile configuration to append";
        };
        
        # Optional: Email for ACME/Let's Encrypt
        email = mkOption {
          type = types.nullOr types.str;
          default = null;
          description = "Email address for ACME certificate registration";
        };
      };
    };
  };

  config = mkIf cfg.enable {
    # Allow network access when building
    # https://mdleom.com/blog/2021/12/27/caddy-plugins-nixos/#xcaddy
    nix.settings.sandbox = false;

    networking.firewall.allowedTCPPorts = [
      80
      443
      caddyMetricsPort
    ];

    services.caddy = {
      enable = true;
      package = pkgs.caddy.withPlugins {
        plugins = [ "github.com/caddy-dns/cloudflare"];
        hash = "sha256-1niaf801sijvjrqvw998y8x7b43a0g162h3ry530qwl8lrgkapii";
      };
      
      # Generate the Caddyfile from our configuration
      extraConfig = ''
        ${optionalString (cfg.email != null) ''
          {
            email ${cfg.email}
          }
        ''}
        
        ${generateCaddyfile cfg.reverseProxies}
        
        ${cfg.extraConfig}
      '';
    };

    systemd.services.caddy = {
      serviceConfig = {
        AmbientCapabilities = "cap_net_bind_service";
        CapabilityBoundingSet = "cap_net_bind_service";
        TimeoutStartSec = "5m";
      };
    };
  };
}