{ config, lib, ... }:
let
  inherit (lib) mkIf;
  cfg = config.bagel.services.gerrit;
in
  {
    config = mkIf cfg.enable {
      services.nginx = {
        enable = true;
        enableReload = true;
        appendHttpConfig = ''
          add_header Permissions-Policy "interest-cohort=()";
        '';
        recommendedProxySettings = false;
        commonHttpConfig = ''
              log_format upstream_time '$remote_addr - $remote_user [$time_local] '
                             '"$request" $status $body_bytes_sent '
                             '"$http_referer" "$http_user_agent"'
                             'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
        '';
      };
      services.nginx.virtualHosts.gerrit = {
        serverName = builtins.head cfg.domains;
        serverAliases = builtins.tail cfg.domains;
        enableACME = true;
        forceSSL = true;
        extraConfig = ''
          access_log /var/log/nginx/gerrit-access.log upstream_time;

          location / {
            proxy_pass http://localhost:4778;
            proxy_set_header  X-Forwarded-For $remote_addr;
            # The :443 suffix is a workaround for https://b.tvl.fyi/issues/88.
            proxy_set_header  Host $host:443;
            # Gerrit can throw a lot of data.
            proxy_buffering on;
            # NGINX should not give up super fast. Things can take time.
            proxy_read_timeout 3600;
          }

          location = /robots.txt {
            return 200 'User-agent: *\nAllow: /';
          }
        '';
      };

      networking.firewall.allowedTCPPorts = [ 443 80 ];
    };
}