{ config, lib, ... }:
let
  cfg = config.services.mastodon;
in
{
  services.nginx = {
    virtualHosts = {
      "mastodon.${config.pub-solar-os.networking.domain}" = {
        root = "${cfg.package}/public/";
        # mastodon only supports https, but you can override this if you offload tls elsewhere.
        forceSSL = lib.mkDefault true;
        enableACME = lib.mkDefault true;

        locations."/auth/sign_up".extraConfig = ''
          return 302 /auth/sign_in;
        '';

        locations."/auth/confirmation/new".extraConfig = ''
          return 302 https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/login-actions/reset-credentials?client_id=mastodon;
        '';

        locations."/auth/password/new".extraConfig = ''
          return 302 https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/login-actions/reset-credentials?client_id=mastodon;
        '';

        locations."/system/".alias = "/var/lib/mastodon/public-system/";

        locations."/" = {
          tryFiles = "$uri @proxy";
        };

        locations."@proxy" = {
          proxyPass = (
            if cfg.enableUnixSocket then
              "http://unix:/run/mastodon-web/web.socket"
            else
              "http://127.0.0.1:${toString (cfg.webPort)}"
          );
          proxyWebsockets = true;
        };

        locations."/api/v1/streaming/" = {
          proxyPass = "http://mastodon-streaming";
          proxyWebsockets = true;
        };
      };
    };

    upstreams.mastodon-streaming = {
      extraConfig = ''
        least_conn;
      '';
      servers = builtins.listToAttrs (
        map (i: {
          name = "unix:/run/mastodon-streaming/streaming-${toString i}.socket";
          value = { };
        }) (lib.range 1 cfg.streamingProcesses)
      );
    };
  };
}