{ nglib, nixpkgs }:
nglib.makeSystem {
  system = "x86_64-linux";
  name = "ra-systems-ingress-blowhole";
  inherit nixpkgs;
  config = ({ pkgs, config, nglib, ... }:
    let
      ids = config.ids;
    in
      {
        config = {
          dumb-init = {
            enable = true;
            sigell = {
              entries = [
                {
                  signal = "HUP";
                  action = {
                    type = "exec";
                    environment = {
                      PATH = "${pkgs.bash}/bin:${pkgs.busybox}/bin";
                    };
                    command =
                      [ "bash"
                        "-c"
                        "kill -s HUP \"$(cat /nginx.pid)\""
                      ];
                  };
                }
                {
                  signal = "TERM";
                  action = {
                    type = "signal";
                    rewrite = "TERM";
                    selector = {
                      type = "child";
                    };
                  };
                }
              ];
            };
            type.services = {};
          };
          init.services.nginx = {
            shutdownOnExit = true;
          };


          services.nginx = {
            enable = true;
            envsubst = true;
            configuration = [
              {
                daemon = "off";
                worker_processes = 2;
                user = "nginx";

                events."" = {
                  use = "epoll";
                  worker_connections = 128;
                };

                error_log = [ "/dev/stderr" "warn" ];

                pid = "/nginx.pid";

                stream."" = {
                  include = [
                    [ "/local/streams.conf" ]
                  ];
                };

                http."" = {
                  server_tokens = "off";
                  include = [
                    [ "${pkgs.nginx}/conf/mime.types" ]
                    [ "/local/upstreams.conf" ]
                  ];
                  charset = "utf-8";
                  access_log = [ "/dev/stdout" "combined" ];

                  server."" = {
                    listen = [ "80" "default_server" ];
                    server_name = [
                      "blowhole.in.redalder.org"
                    ];

                    location."/" = {
                      return = [ "301" "https://$$host$$request_uri" ];
                    };
                  };
                };
              }
            ];
          };
        };
      });
}