{ config, pkgs, lib, ... }:

{
  services.nginx = {
    enable = true;
    
    # Recommended settings
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    
    # Virtual hosts configuration for local staging
    virtualHosts = {

      # Main website - Static HTML/CSS
      # Access via http://localhost or http://localhost:80
      "localhost" = {
        # No SSL for local development
        listen = [
          { addr = "127.0.0.1"; port = 80; }
          { addr = "0.0.0.0"; port = 80; }
        ];
        
        root = "/srv/www/stage.binning.net";
        
        locations."/" = {
          index = "index.html";
          tryFiles = "$uri $uri/ =404";
          extraConfig = ''
            # Enable Server Side Includes for navbar/footer includes
            ssi on;
          '';
        };
        
        # Blog (mdbook generated) - Enable SSI
        locations."/blog/" = {
          extraConfig = ''
            # Enable Server Side Includes
            ssi on;
          '';
        };
        
        # Private blog articles with HTTP basic authentication
        locations."/blog/private/" = {
          extraConfig = ''
            auth_basic "Private Articles";
            auth_basic_user_file /srv/nginx/.htpasswd;
            
            # Enable Server Side Includes
            ssi on;
          '';
        };
        
        # Custom 404 page
        extraConfig = ''
          error_page 404 /404.html;
        '';
      };
    };
  };

  # Firewall - allow local HTTP access
  networking.firewall.allowedTCPPorts = [ 80 ];
}