{ config, pkgs, ... }:

let
  fqdn = "matrix.berlin.ccc.de";
in
{
  users.users.nginx.extraGroups = [ "acme" ];

  services.nginx = {
    enable = true;
    resolver.addresses = [
      "[2606:4700:4700::1111]"
      "[2620:fe::fe]"
      "1.1.1.1"
      "9.9.9.9"
    ];
    statusPage = true; # http://127.0.0.1/nginx_status
    sslProtocols = "TLSv1.3";
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedBrotliSettings = true;
    virtualHosts."${fqdn}" = {
      quic = true;
      kTLS = true;
      forceSSL = true;
      enableACME = true;
      locations = {
        "/".return = "418 \"I'm a Teapot!\"";
        "~ ^(/_matrix|/_synapse/client)" = {
          recommendedProxySettings = true;
          proxyPass = "http://[::1]:8008";
          extraConfig = ''
            client_max_body_size 64M;
            proxy_set_header X-Request-ID $request_id;
            proxy_http_version 1.1;
          '';
        };
      };
    };
  };
}