{ pkgs, ... }:

{
  services.nginx.virtualHosts = {
    "www.clerie.de" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        return = "301 https://clerie.de$request_uri";
      };
    };

    "clerie.de" = {
      enableACME = true;
      forceSSL = true;
      root = pkgs.fetchgit {
        url = "https://git.clerie.de/clerie/clerie.de.git";
        rev = "ec744cbeaf99ae4fd4832d7e594bc72bfabc8706";
        hash = "sha256-EG8UO/9ycyWjtqLUX7ydctLdIbq/j8zylEK7YYvEwmI=";
      };
      locations."/ssh" = {
        extraConfig = ''
          types {
            text/plain pub;
          }
        '';
        root = pkgs.clerie-keys;
      };
      locations."= /ssh/known_hosts" = {
        alias = pkgs.writeText "known_hosts" (import ../../lib/ssh-known-hosts.nix);
        extraConfig = ''
          types { }
          default_type "text/plain; charset=utf-8";
        '';
      };
      locations."/gpg" = {
        extraConfig = ''
          types {
            text/plain asc;
          }
        '';
        root = pkgs.clerie-keys;
      };
      locations."~ ^/.well-known/openpgpkey/hu/[a-z0-9]+/?$" = {
        root = pkgs.clerie-keys;
        extraConfig = ''
          types { }
          default_type application/octet-stream;
          add_header Access-Control-Allow-Origin * always;
          try_files /gpg/clerie@clerie.de =404;
        '';
      };
      locations."= /.well-known/openpgpkey/policy" = {
        extraConfig = ''
          types { }
          default_type application/octet-stream;
          add_header Access-Control-Allow-Origin * always;
        '';
        return = "200 ''";
      };
      extraConfig = ''
        access_log /var/log/nginx/clerie.de.log combined_anon;
      '';
    };
  };
}