{ config, pkgs, ... }:

{
  nixpkgs.config.allowUnfree = true;

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts = {
      "${config.networking.domain}" = {
        onlySSL = true;
        useACMEHost = config.networking.domain;
        locations."/" = {
          return = "200 'This domain used for e-mail hosting only.'";
          extraConfig = ''
            add_header Content-Type text/plain;
          '';
        };
      };
      "${config.networking.fqdn}-80" = {
        serverAliases = [ "*.ktiu.net" ];
        locations."/.well-known/acme-challenge" = {
          root = "/var/lib/acme/.challenges";
        };
        locations."/" = {
          return = "301 https://$host$request_uri";
        };
      };
      "${config.networking.fqdn}" = {
        onlySSL = true;
        useACMEHost = config.networking.domain;
        locations."/" = {
          return = "404";
        };
      };
    };

  };

  security.acme = {

    acceptTerms = true;
    defaults.email = "till@ktiu.net";

    certs."${config.networking.domain}" = {
      domain = config.networking.domain;
      webroot = "/var/lib/acme/.challenges";
      group = config.services.nginx.group;
      extraDomainNames = [ config.networking.fqdn ];
    };
  };

}