{ config, pkgs, domain, ... }:

{
  # Set hostname (passed as parameter)
  networking.hostName = domain;

  # System packages
  environment.systemPackages = with pkgs; [
    vim
    git
    htop
  ];

  # Enable SSH
  services.openssh.enable = true;

  # Enable and configure nginx
  services.nginx = {
    enable = true;

    # Recommended settings
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = false;  # DISABLED - was interfering with WebSocket
    recommendedTlsSettings = true;

    # Web-app service
    virtualHosts."app.${domain}" = {
      root = "/var/src/web-app-dist";
      locations."/" = {
        index = "index.html";
        tryFiles = "$uri $uri/ /index.html";
      };
    };

    # LNbits service (example - adjust as needed)
    virtualHosts."lnbits.${domain}" = {
      locations."/" = {
        proxyPass = "http://localhost:5000";
        proxyWebsockets = true;
      };
    };

    # Image service (example - adjust as needed)
    virtualHosts."img.${domain}" = {
      locations."/" = {
        proxyPass = "http://localhost:8080";
      };
    };
  };

  # Enable automatic SSL certificate generation with Let's Encrypt
  security.acme = {
    acceptTerms = true;
    defaults.email = "admin@aiolabs.dev";
  };

  # Open firewall for HTTP/HTTPS
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  # Enable fail2ban for additional security
  services.fail2ban = {
    enable = true;
    jails = {
      nginx-http-auth.settings = {
        enabled = true;
        filter = "nginx-http-auth";
        logpath = "/var/log/nginx/error.log";
        backend = "systemd";
      };
    };
  };

  # NixOS release version
  system.stateVersion = "25.05";
}