{ config, lib, ... }:
let
  inherit (lib) mkIf;
  cfg = config.bagel.services.gerrit;
in
  {
    config = mkIf cfg.enable {
      services.nginx = {
        enable = true;
        enableReload = true;
        appendHttpConfig = ''
          add_header Permissions-Policy "interest-cohort=()";
        '';
        recommendedProxySettings = false;
      };
      services.nginx.virtualHosts.gerrit = {
        serverName = builtins.head cfg.domains;
        serverAliases = builtins.tail cfg.domains;
        enableACME = true;
        forceSSL = true;
        extraConfig = ''
          location / {
            proxy_pass http://localhost:4778;
            proxy_set_header  X-Forwarded-For $remote_addr;
            # The :443 suffix is a workaround for https://b.tvl.fyi/issues/88.
            proxy_set_header  Host $host:443;
            # Gerrit can throw a lot of data.
            proxy_buffering off;
            # NGINX should not give up super fast. Things can take time.
            proxy_read_timeout 3600;
          }

          location = /robots.txt {
            return 200 'User-agent: *\nAllow: /';
          }
        '';
      };

      networking.firewall.allowedTCPPorts = [ 443 80 ];
    };
}