{ ... }:

{
  services.nginx = {
    enableReload = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    commonHttpConfig = ''
      server_names_hash_bucket_size 64;
      charset utf-8;
      types {
        text/plain nix;
      }
      map $remote_addr $remote_addr_anon {
        ~(?P<ip>\d+\.\d+\.\d+)\.          $ip.0;
        ~(?P<ip>[^:]*:[^:]*(:[^:]*)?):    $ip::;
        default                           ::;
      }
      log_format combined_anon '$remote_addr_anon - $remote_user [$time_local] '
                               '"$request" $status $body_bytes_sent '
                               '"$http_referer" "$http_user_agent"';
      log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] '
                                '"$request" $status $body_bytes_sent '
                                '"$http_referer" "$http_user_agent"';
      access_log /var/log/nginx/access.log vcombined_anon;
    '';

    virtualHosts = {
      "default" = {
        default = true;
        rejectSSL = true;
        locations."/" = {
          return = ''200 "Some piece of infrastructure\n"'';
          extraConfig = ''
            types { } default_type "text/plain; charset=utf-8";
          '';
        };
      };
    };
  };

  services.logrotate.settings.nginx = {
    frequency = "daily";
    maxage = 14;
  };

  security.acme = {
    defaults.email = "letsencrypt@clerie.de";
    acceptTerms = true;
  };
}