{ pkgs, ... }:

{
  services.nginx.virtualHosts = {
    "www.clerie.de" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        return = "301 https://clerie.de$request_uri";
      };
    };

    "clerie.de" = {
      enableACME = true;
      forceSSL = true;
      root = pkgs.fetchgit {
        url = "https://git.clerie.de/clerie/clerie.de.git";
        rev = "9417332ff85b058901d9875828f9dea8247bb431";
        hash = "sha256-bCTyhyPeCNHsGDfyYA5yM0OA8040XFO3Gvakrco+FEo=";
      };
      locations."= /ssh/known_hosts" = {
        alias = pkgs.writeText "known_hosts" (import ../../lib/ssh-known-hosts.nix);
        extraConfig = ''
          types { } default_type "text/plain; charset=utf-8";
        '';
      };
      locations."~ ^/.well-known/openpgpkey/hu/[a-z0-9]+/?$" = {
        extraConfig = ''
          default_type application/octet-stream;
          add_header Access-Control-Allow-Origin * always;
          try_files /gpg/clerie@clerie.de =404;
        '';
      };
      locations."= /.well-known/openpgpkey/policy" = {
        extraConfig = ''
          default_type application/octet-stream;
          add_header Access-Control-Allow-Origin * always;
        '';
        return = "200 ''";
      };
      extraConfig = ''
        access_log /var/log/nginx/clerie.de.log combined_anon;
      '';
    };
  };
}