{ config, lib, ... }:
let
  cfg = config.services.hledger-web;
  fqdn = "${cfg.subdomain}.${config.networking.domain}";
in
{
  options.services.hledger-web = {
    subdomain = lib.mkOption {
      type = lib.types.str;
    };
    user = lib.mkOption {
      type = lib.types.str;
    };
    group = lib.mkOption {
      type = lib.types.str;
    };
  };

  config = lib.mkIf cfg.enable {
    services = {
      hledger-web = {
        allow = lib.mkDefault "edit";
        baseUrl = "https://${fqdn}";
        serveApi = true;
        extraOptions = [
          "--exchange=€"
        ];
      };

      webserver = {
        enable = lib.mkDefault true;
        vHosts.${fqdn} = {
          tailscaleAuth = true;
          extraConfig = ''
            root /var/www/ledgio;
            add_header Access-Control-Allow-Origin $http_origin always;
            add_header Access-Control-Allow-Methods 'OPTIONS, GET, PUT' always;
            add_header Access-Control-Allow-Headers 'Content-Type' always;

            location ~ \.(html|js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
              try_files $uri =404;
            }
          '';

          locations = {
            "@api" = {
              proxyPort = cfg.port;
            };

            "/".extraConfig = ''
              if ($request_method = OPTIONS) {
                add_header Content-Type text/plain;
                add_header Content-Length 0;
                add_header Access-Control-Allow-Origin $http_origin;
                add_header Access-Control-Allow-Methods 'OPTIONS, GET, PUT';
                add_header Access-Control-Allow-Headers 'Content-Type';
                return 204;
              }

              try_files $uri $uri/ @api;
            '';
          };
        };
      };
    };

    systemd.services.hledger-web.serviceConfig = {
      User = lib.mkForce cfg.user;
      Group = lib.mkForce cfg.group;
    };
  };
}