{ config, pkgs, ... }:

let
  fqdn = "matrix.berlin.ccc.de";
in
{
  services.nginx = {
    enable = true;
    package = pkgs.nginxQuic;
    resolver.addresses = ["[2606:4700:4700::1111]" "[2620:fe::fe]" "1.1.1.1" "9.9.9.9"];
    statusPage = true; # http://127.0.0.1/nginx_status
    sslProtocols = "TLSv1.3";
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedZstdSettings = true;
    recommendedGzipSettings = true;
    recommendedBrotliSettings = true;
    virtualHosts."${fqdn}" = {
      quic = true;
      kTLS = true;
      forceSSL = true;
      useACMEHost = fqdn;
      #enableACME = true;
      locations = {
        "/.well-known/matrix/client" = {
          return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.berlin.ccc.de\"}}'";
          extraConfig = ''
            default_type application/json;
            add_header Access-Control-Allow-Origin "*";
          '';
        };
        "~ ^(/_matrix|/_synapse/client)" {
          recommendedProxySettings = true;
          proxyPass = "unix:/run/matrix-synapse.sock";
          extraConfig = ''
            proxy_set_header X-Request-ID $request_id;
          '';
        };
        "/" = {
          return = "418 \"I'm a Teapot!\"";
        };
        extraConfig = ''
          client_max_body_size 64M;
        '';
      };
      extraConfig = ''
        proxy_http_version 1.1;
      '';
    };
  };

  security.acme.certs."${fqdn}" = {
    reloadServices = ["nginx"];
  };
}