{ config, pkgs, lib, ... }:

{

  dns.zones."ctu.cx".subdomains.oeffi.CNAME = [ "${config.networking.fqdn}." ];

  services.nginx = {
    enable = true;
    appendHttpConfig = ''
      map $phost $host_allowed {
        default no;
        www.bahn.de yes;
        app.vendo.noncd.db.de yes;
        nah.sh.hafas.de yes;
        www.rmv.de yes;
        vrn.hafas.de yes;
        bvg-apps-ext.hafas.de yes;
        fahrplan.oebb.at yes;
      }

    '';
    virtualHosts."oeffi.ctu.cx" = {
      enableACME  = true;
      forceSSL    = true;
      kTLS        = true;
      root        = pkgs.trainsearch;
      extraConfig = ''
        merge_slashes off;
      '';
      locations."~ ^/(?<pscheme>https?://)(?<phost>[^/\\n\\r]+)(?<ppath>/.*)$".extraConfig = ''
        if ($request_method = OPTIONS) {
          more_set_headers "Access-Control-Allow-Headers: *";
          more_set_headers "Access-Control-Allow-Origin: http://localhost:8080";
          more_set_headers "Access-Control-Max-Age: 3600";
          more_set_headers "Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS";
          add_header Content-Type text/plain;
          add_header Content-Length 0;
          return 204;
        }

        resolver 8.8.8.8;

        if ($host_allowed != yes) {
          return 400;
        }

        more_set_headers "Access-Control-Allow-Headers: *";
        more_set_headers "Access-Control-Allow-Origin: http://localhost:8080";
        more_set_headers "Access-Control-Max-Age: 3600";
        more_set_headers "Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS";

        proxy_set_header Host $phost;
        proxy_redirect ~^(https?://)([^/]+)(.*)$ $scheme://$http_host/$1$2$3;
        proxy_pass $pscheme$phost$ppath$is_args$args;
      '';
    };
  };

}