{ config, lib, ... }:
let
  nginxConfig = import ../intermediate/nginx.nix;
  serviceConfig = import ../config/services.nix;
  acmeDomains = nginxConfig.localServiceAcmeDomains;
  acmeEmailConfigured =
    config.security.acme ? defaults
    && builtins.isAttrs config.security.acme.defaults
    && config.security.acme.defaults ? email
    && builtins.isString config.security.acme.defaults.email
    && config.security.acme.defaults.email != "";
in
{
  config = lib.mkIf serviceConfig.nginx.enable {
    assertions = lib.optional (acmeDomains != [] && !acmeEmailConfigured) {
      assertion = false;
      message = "TLS local proxy endpoints exist, but security.acme.defaults.email is missing or empty.";
    };

    services.nginx = {
      enable = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      virtualHosts = nginxConfig.virtualHosts;
      streamConfig = nginxConfig.streamConfig;
    };

    security.acme = {
      acceptTerms = true;
      defaults.email = serviceConfig.nginx.acmeEmail;
      certs = builtins.listToAttrs (map (domain: {
        name = domain;
        value = {
          webroot = "/var/lib/acme/acme-challenge";
          group = "nginx";
        };
      }) acmeDomains);
    };

    networking.firewall.allowedTCPPorts = nginxConfig.publicListenPorts;
  };
}