{ pkgs, ... }:

{

  systemd.tmpfiles.rules = [
    "d /var/cache/nginx/nurausstieg - nginx nginx - -"
  ];

  services.nginx = {
    commonHttpConfig = ''
      proxy_cache_path /var/cache/nginx/nurausstieg levels=1:2 use_temp_path=off keys_zone=nurausstieg:1m max_size=10m;
    '';

    virtualHosts."nurausstieg.clerie.de" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://[::1]:44384";
        extraConfig = ''
          proxy_cache nurausstieg;
          # Ignore upstream cache hints
          proxy_ignore_headers Cache-Control;
          # Force cache 200 and 500 responses for one minute
          proxy_cache_valid 200 500 1m;
          # Only do a single fetch for missing entries and let other sessions wait
          proxy_cache_lock on;
        '';
      };
    };
  };

  systemd.services.nurausstieg = {
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      DynamicUser = true;
    };
    path = with pkgs; [ nurausstieg ];
    script = "nurausstieg --listen [::1]:44384";
  };

}