infrastructure/modules/dgn-web.nix

{ config, lib, ... }:

let
  inherit (lib)
    attrsToList
    concatStringsSep
    filterAttrs
    mkEnableOption
    mkIf
    mkOption
    ;

  inherit (lib.types) attrsOf port;

  cfg = config.dgn-web;
in
{
  options.dgn-web = {
    enable = mkEnableOption "sane defaults for web services.";

    internalPorts = mkOption {
      type = attrsOf port;
      default = { };
      description = ''
        Map from the web services to their internal ports, it should avoid port clashes.
      '';
    };
  };

  config = mkIf cfg.enable {
    assertions = [
      (
        let
          duplicates = builtins.attrValues (
            builtins.mapAttrs (p: serv: "${p}: ${concatStringsSep ", " serv}") (
              filterAttrs (_: ls: builtins.length ls != 1) (
                builtins.foldl' (
                  rev:
                  { name, value }:
                  let
                    str = builtins.toString value;
                  in
                  rev // { ${str} = (rev.${str} or [ ]) ++ [ name ]; }
                ) { } (attrsToList cfg.internalPorts)
              )
            )
          );
        in
        {
          assertion = duplicates == [ ];
          message = ''
            Internal ports cannot be used for multiple services, the clashes are:
              ${concatStringsSep "\n  " duplicates}
          '';
        }
      )
    ];

    services.nginx = {
      enable = true;

      recommendedBrotliSettings = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      recommendedZstdSettings = true;
    };

    networking.firewall.allowedTCPPorts = [
      80
      443
    ];
  };
}