{ config, ... }:

{
  # At present, the only thing we serve via nginx is the responses to ACME
  # challenges, so that's the only thing configured. This interacts closely
  # with the config in services/frontend/haproxy.nix, in that nginx is behind
  # HAProxy and relies on HAProxy to route traffic to it, while HAProxy relies
  # on nginx to handle the ACME stuff.
  #
  # This separated-out behavior is fiddly to set up the first time, but I have
  # found it to be highly reliable once created.
  services.nginx = {
    enable = true;

    group = "frontend";

    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;

    virtualHosts = {
      ${config.smalltech.domain} = {
        serverName = config.smalltech.domain;

        listen = [
          {
            addr = "127.0.0.1";
            port = 3080;
          }
        ];

        locations."/.well-known/acme-challenge" = {
          root = "/var/lib/acme/acme-challenge";
          extraConfig = ''
            auth_basic off;
          '';
        };
      };
    };
  };
}