{ config, pkgs, ... }:

let
  fqdn = "matrix.berlin.ccc.de";
in
{
  services.nginx = {
    enable = true;
    package = pkgs.nginxQuic;
    resolver.addresses = ["[2606:4700:4700::1111]" "[2620:fe::fe]" "1.1.1.1" "9.9.9.9"];
    statusPage = true; # http://127.0.0.1/nginx_status
    sslProtocols = "TLSv1.3";
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedZstdSettings = true;
    recommendedGzipSettings = true;
    recommendedBrotliSettings = true;
    virtualHosts."${fqdn}" = {
      quic = true;
      kTLS = true;
      forceSSL = true;
      useACMEHost = fqdn;
      locations = {
        "/".return = "418 \"I'm a Teapot!\"";
        "= /.well-known/matrix/client" = {
          return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.berlin.ccc.de\"}}'";
          extraConfig = ''
            default_type application/json;
            add_header Access-Control-Allow-Origin "*";
          '';
        };
        "~ ^(/_matrix|/_synapse/client)" {
          recommendedProxySettings = true;
          proxyPass = "http://[::1]:8008";
          extraConfig = ''
            client_max_body_size 64M;
            proxy_set_header X-Request-ID $request_id;
            proxy_http_version 1.1;
          '';
        };
      };
    };
  };

  security.acme.certs."${fqdn}".reloadServices = ["nginx"];
}