infrastructure/nixos/access/deluge.nix

{
  config,
  lib,
  ...
}: let
  inherit (lib.modules) mkIf mkDefault mkOptionDefault;
  inherit (config.services) nginx;
  cfg = config.services.deluge;
  upstreamName = "deluge'access";
  upstreamName'daemon = "deluge'daemon'access";
  locations."/".proxy.enable = true;
  name.shortServer = mkDefault "deluge";
  copyFromVhost = mkDefault "deluge";
in {
  config.services.nginx = {
    upstreams'.${upstreamName}.servers = {
      local = mkIf (cfg.enable && cfg.web.enable) {
        enable = mkDefault true;
        addr = mkDefault "127.0.0.1";
        port = mkDefault cfg.web.port;
      };
      access = {upstream, ...}: {
        enable = mkDefault (!upstream.servers.local.enable or false);
        accessService = {
          name = "deluge";
          port = "web";
          getAddressFor = mkDefault "getAddress4For";
        };
      };
    };
    virtualHosts = {
      deluge = {
        inherit name locations;
        ssl.force = mkDefault true;
        proxy.upstream = mkDefault upstreamName;
        vouch.enable = mkDefault true;
      };
      deluge'local = {
        inherit name locations;
        ssl = {
          force = mkDefault true;
          cert = {
            inherit copyFromVhost;
          };
        };
        local.enable = true;
        proxy = {
          inherit copyFromVhost;
        };
      };
    };
    stream = {
      upstreams.${upstreamName'daemon} = {
        enable = mkDefault (!cfg.enable);
        servers = {
          local = mkIf cfg.enable {
            enable = mkDefault true;
            addr = mkDefault "127.0.0.1";
            port = mkDefault cfg.config.daemon_port;
          };
          access = {upstream, ...}: {
            enable = mkDefault (!upstream.servers.local.enable or false);
            accessService = {
              name = "deluge";
              getAddressFor = mkDefault "getAddress4For";
            };
          };
        };
      };
      servers.deluge'local = {config, ...}: let
        upstream = nginx.stream.upstreams.${config.proxy.upstream};
      in {
        enable = mkDefault upstream.enable;
        listen.daemon.port = mkOptionDefault upstream.servers.${upstream.defaultServerName}.port;
        local.enable = true;
        proxy.upstream = mkDefault upstreamName'daemon;
      };
    };
  };
  config.networking.firewall = let
    daemonServer = nginx.stream.servers.deluge'local;
  in
    mkIf daemonServer.enable {
      interfaces.local.allowedTCPPorts = [
        daemonServer.listen.daemon.port
      ];
    };
}