{ pkgs, ... }:

let
  anubisBotsMirror = pkgs.writeText "anubis_bots_mirror.yaml" ''
    - name: whitelist-crans
      action: ALLOW
      remote_addresses:
        - 185.230.79.0/22
        - 2a0c:700::/32
        - 46.105.102.188/32
        - 2001:41d0:2:d5bc::/128

    - name: no-user-agent-string
      action: DENY
      expression: userAgent == ""

    - name: ban-gpt
      user_agent_regex: ".*gpt.*"
      action: DENY

    - name: ban-bot
      user_agent_regex: ".*(b|B)ot.*"
      action: DENY

    - name: ban-WebKit
      action: DENY
      expression:
        all:
          - userAgent.startsWith("Mozilla")
          - userAgent.matches("AppleWebKit")
          - userAgent.matches("Safari")
          - userAgent.matches("Chrome")

    - name: ban-Barkrowler
      user_agent_regex: ".*Barkrowler.*"
      action: DENY
  '';
  anubisMirror = pkgs.writeText "anubis_mirror.json" ''
    {
      "bots": [
        {
          "import": "${anubisBotsMirror}"
        },
        {
          "name": "allow-repo",
          "path_regex": "^...*",
          "action": "ALLOW"
        },
        {
          "name": "deny-other",
          "path_regex": ".*",
          "action": "ALLOW"
        }
      ]
    }
  '';
in {
  services.anubis = {
    instances."mirror" = {
      enable = true;
      settings = {
        BIND_NETWORK = "tcp";
        BIND = "127.0.0.1:7779";
        TARGET = "http://localhost:8890";
        COOKIE_DOMAIN = "crans.org";
        REDIRECT_DOMAINS = "eclat.crans.org,mirror.crans.org";
        POLICY_FNAME = "${anubisMirror}";
      };
    };
  };
}