{ config, lib, pkgs, ... }:
with lib;
let
  cfg = config.services.piped;

  proxy_nginx_extras = ''
    proxy_buffering on;
    proxy_buffers 1024 16k;
    proxy_set_header X-Forwarded-For "";
    proxy_set_header CF-Connecting-IP "";
    proxy_hide_header "alt-svc";
    sendfile on;
    sendfile_max_chunk 512k;
    tcp_nopush on;
    aio threads=default;
    aio_write on;
    directio 16m;
    proxy_hide_header Cache-Control;
    proxy_hide_header etag;
    proxy_http_version 1.1;
    proxy_set_header Connection keep-alive;
    proxy_max_temp_file_size 32m;
    access_log off;
  '';
in {
  systemd.tmpfiles.rules = [
    "d /run/piped-proxy - nginx nginx"
    "d /run/piped-proxy/socket - nginx nginx"
  ];

  systemd.services.piped-proxy = {
    wantedBy = [ "multi-user.target" ];
    environment.UDS = "1";
    serviceConfig = {
      User = "nginx";
      WorkingDirectory = "/run/piped-proxy";
      ExecStart = "${pkgs.piped-proxy}/bin/piped-proxy";
    };
  };

  services.nginx.virtualHosts."${cfg.proxy_domain}" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://unix:/run/piped-proxy/socket/actix.sock";
      extraConfig = proxy_nginx_extras + ''
        add_header Cache-Control "public, max-age=604800";
      '';
    };
    locations."~ (/videoplayback|/api/v4/|/api/manifest/)" = {
      proxyPass = "http://unix:/run/piped-proxy/socket/actix.sock";
      extraConfig = proxy_nginx_extras + ''
        add_header Cache-Control private always;
      '';
    };
  };
}