{ config, ... }:

let
  # TODO: mkVHost
in
{
  services.nginx.virtualHosts = {
    "www.${config.networking.domain}" = {
      default = true;
      serverAliases = [config.networking.domain];
      quic = true;
      kTLS = true;
      forceSSL = true;
      enableACME = true;
      extraConfig = ''
        # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
        add_header Strict-Transport-Security max-age=15768000;
      '';
      locations = {
        "/" = {
          root = "/srv/http/www";
          index = "index.html";
          tryFiles = "$uri $uri/ $uri.html =404";
        };
        # RFC8805
        "/noc" = {
          root = "/srv/http/noc";
        };
        # RFC8805 new location
        ".well-known/loc" = {
          root = "/srv/http/noc";
        };
        "/twentyyears/" = {
          alias = "/srv/http/twentyyears";
        };
        "/.well-known/matrix/client" = {
          return = "200 '{\"m.homeserver\":{\"base_url\":\"https://matrix.berlin.ccc.de\"}}'";
          extraConfig = ''
            add_header Access-Control-Allow-Origin "*";
            default_type application/json;
          '';
        };
        "/.well-known/matrix/server" = {
          return = "200 '{\"m.server\":\"matrix.berlin.ccc.de:443\"}'";
          extraConfig = ''
            add_header Access-Control-Allow-Origin "*";
            default_type application/json;
          '';
        };
        "~ ^/~(.+?)/$" = {
          alias = "/srv/http/homes/$1";
          extraConfig = ''
            autoindex on;
          '';
        };
      };
    };
    "staging.${config.networking.domain}" = {
      default = true;
      quic = true;
      kTLS = true;
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        basicAuthFile = config.age.secrets.www-staging-htpasswd.path;
        root = "/srv/http/www-staging";
        index = "index.html";
        tryFiles = "$uri $uri/ $uri.html =404";
      };
    };
  };
}