{ pkgs, config, ... }:

let 
  public = {
    proxyPass = "http://localhost:9003";
  };
  admin = public // {
    # ref: https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/server_nginx
    extraConfig = ''
      auth_request /outpost.goauthentik.io/auth/nginx;
      error_page 401 = @goauthentik_proxy_signin;
      auth_request_set $auth_cookie $upstream_http_set_cookie;
      add_header Set-Cookie $auth_cookie;

      # translate headers from the outposts back to the actual upstream
      auth_request_set $authentik_username $upstream_http_x_authentik_username;
      auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
      auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
      auth_request_set $authentik_email $upstream_http_x_authentik_email;
      auth_request_set $authentik_name $upstream_http_x_authentik_name;
      auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

      proxy_set_header X-authentik-username $authentik_username;
      proxy_set_header X-authentik-groups $authentik_groups;
      proxy_set_header X-authentik-entitlements $authentik_entitlements;
      proxy_set_header X-authentik-email $authentik_email;
      proxy_set_header X-authentik-name $authentik_name;
      proxy_set_header X-authentik-uid $authentik_uid;
    '';
  };
in {

  services.listmonk = {
    enable = true;
    database.createLocally = true;
    settings.app.address = "127.0.0.1:9003";
  };

  services.nginx.virtualHosts."news.cebula.camp" = {
    forceSSL = true;
    enableACME = true;

    # ref: https://listmonk.app/docs/configuration/#http-routes
    locations."/subscription/" = public;
    locations."/link/" = public;
    locations."/campaign/" = public;
    locations."/public/" = public;
    locations."/webhooks/service/" = public;
    locations."/uploads/" = public;

    locations."/api/" = admin;
    locations."/admin/" = admin;
    locations."/webhooks/bounce" = admin;

    # ref: https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/server_nginx
    locations."/outpost.goauthentik.io" = {
      extraConfig = ''
        proxy_pass http://10.88.0.1:9002;
        proxy_set_header Host $host;
        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
        add_header Set-Cookie $auth_cookie;
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
      '';
    };
    locations."@goauthentik_proxy_signin" = {
      extraConfig = ''
        internal;
        add_header Set-Cookie $auth_cookie;
        return 302 /outpost.goauthentik.io/start?rd=$request_uri;
      '';
    };
  };
}