{ config, pkgs, lib, ... }:
let
  nginxModel = import ../intermediate/nginx.nix;

  virtualHostsData = nginxModel.virtualHostsData;
  validatedEndpoints = nginxModel.validatedEndpoints;
  tlsEndpoints = lib.filter (endpoint: endpoint.force_ssl) validatedEndpoints;
  localTlsEndpoints = lib.filter (endpoint: endpoint.force_ssl && endpoint.exposure == "local") validatedEndpoints;
  localTlsDomains = lib.unique (map (endpoint: endpoint.domain) localTlsEndpoints);
  acmeEmailConfigured =
    config.security.acme ? defaults
    && builtins.isAttrs config.security.acme.defaults
    && config.security.acme.defaults ? email
    && builtins.isString config.security.acme.defaults.email
    && config.security.acme.defaults.email != "";

  virtualHosts' = virtualHostsData;
in {
  assertions = [
    {
      assertion = validatedEndpoints != [];
      message = "No endpoints configured. config/endpoints.nix must contain at least one endpoint.";
    }
    {
      assertion = localTlsEndpoints == [];
      message = "ACME-managed TLS is only supported for external domains. Local domains with force_ssl=true are not allowed: ${builtins.concatStringsSep ", " localTlsDomains}";
    }
    {
      assertion = tlsEndpoints == [] || acmeEmailConfigured;
      message = "TLS endpoints exist, but security.acme.defaults.email is missing or empty.";
    }
  ];

  services.nginx = {
    enable = true;

    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;

    virtualHosts = virtualHosts';
  };

  networking.firewall.allowedTCPPorts = nginxModel.nginxUsedPorts;

  security.acme = {
    acceptTerms = true;
    defaults.email = "katharina.heidenreich02@gmail.com";
  };
}