{ config, ... }:

{
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts = {

      "${config.networking.domain}" = {
        onlySSL = true;
        useACMEHost = config.networking.domain;
        locations."/" = {
          return = "200 'This domain used for e-mail hosting only.'";
          extraConfig = ''
            add_header Content-Type text/plain;
          '';
        };
      };

      "${config.networking.fqdn}" = {
        onlySSL = true;
        useACMEHost = config.networking.domain;
        locations."/" = {
          return = "404";
        };
      };

    };
  };
}