{ config, lib, pkgs, ... }:

with lib;
let
  cfg = config.my.services.proxy;

in {

  options.my.services.proxy = {

    enable = mkOption {
      default = false;
      description = "whether to enable proxy";
      type = types.bool;
    };

    proxyHosts = mkOption {
      type = types.listOf (types.submodule (
        {
          options = {
            hostNames = mkOption {
              type = types.listOf types.str;
              default = [];
              description = ''
                Proxy these hostNames.
              '';
            };
            proxyTo = mkOption {
              type = types.submodule (
                {
                  options = {
                    host = mkOption {
                      type = types.nullOr types.string;
                      default = null;
                      description = ''
                        Host to forward traffic to.
                        Any hostname may only be used once
                      '';
                    };
                    httpPort = mkOption {
                      type = types.int;
                      default = 80;
                      description = ''
                        Port to forward http to.
                      '';
                    };
                    httpsPort = mkOption {
                      type = types.int;
                      default = 443;
                      description = ''
                        Port to forward http to.
                      '';
                    };
                  };
                });
              description = ''
                { host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to
              '';
              default = {};
            };
          };

        }));
      default = [];
      example = [
        { hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ];
          proxyTo = { host = "172.22.99.99"; httpPort = 80; httpsPort = 443; };
        }
      ];
    };

  };

  config = mkIf cfg.enable {

    services.haproxy = {
      enable = true;
      config = ''
        resolvers dns
          nameserver quad9 9.9.9.9:53
          hold valid 1s

        frontend http-in
          bind :::80 v4v6
          default_backend proxy-backend-http
  
        backend proxy-backend-http
          timeout connect 5000
          timeout check 5000
          timeout client 30000
          timeout server 30000
          ${concatMapStringsSep "\n" (proxyHost:
            optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
              concatMapStringsSep "\n" (hostname: ''
                use-server ${hostname}-http if { req.hdr(host) -i ${hostname} }
                server ${hostname}-http ${proxyHost.proxyTo.host}:${toString proxyHost.proxyTo.httpPort} resolvers dns check inter 1000
              ''
              ) (proxyHost.hostNames)
            )
          ) (cfg.proxyHosts)
          }

        frontend https-in
          bind :::443 v4v6
          default_backend proxy-backend-https

        backend proxy-backend-https
          timeout connect 5000
          timeout check 5000
          timeout client 30000
          timeout server 30000
          ${concatMapStringsSep "\n" (proxyHost:
            optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
              concatMapStringsSep "\n" (hostname: ''
                use-server ${hostname}-https if { req.ssl_sni -i ${hostname} }
                server ${hostname}-https ${proxyHost.proxyTo.host}:${toString proxyHost.proxyTo.httpsPort} resolvers dns check inter 1000
              ''
              ) (proxyHost.hostNames)
            )
          ) (cfg.proxyHosts)
          }
      '';
    };
  };
}