{ config, lib, pkgs, ... }:
  let mpd_loc = (import ../data/aliases.nix).services.mpd;
      mpdweb_loc = (import ../data/aliases.nix).services.mpdweb;
      pjournal_loc = (import ../data/aliases.nix).services.pjournal;
  in
{
  imports = [ ./orbekk-pkgs.nix ];

  security.acme.acceptTerms = true;
  security.acme.email = "kj@orbekk.com";

  networking.firewall.allowedTCPPorts = [ 80 443 ];
  services.nginx = {
    enable = true;
    package = pkgs.nginxStable.override {
      modules = with pkgs.nginxModules; [ dav ];
    };
    recommendedProxySettings = true;
    appendHttpConfig = ''
      # This is a workaround to deal with closed connections on
      # large downloads.
      proxy_buffering off;
      charset utf-8;
    '';
    virtualHosts = let template = {
      enableACME = true;
      forceSSL = true;
    };
    in {
      "orbekk.no" = template // {
        root = "/storage/srv/orbekk.com";
      };
      "orbekk.com" = template // {
        root = "/storage/srv/orbekk.com";
      };
      "kj.orbekk.com" = template // {
        root = "/home/orbekk/www-public";
        locations."/" = {
          extraConfig = ''
            try_files $uri @storage;
	          # kill cache
            add_header Last-Modified $date_gmt;
            add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
            if_modified_since off;
            expires off;
            etag off;
          '';
        };
        locations."@storage" = {
          root = "/storage/srv/kj.orbekk.com";
          extraConfig = ''
	          autoindex on;
	        '';
        };
        locations."/stats/" = {
          alias = "/var/lib/stats/out/";
          extraConfig = "autoindex on;";
        };
        locations."/munin/" = {
          alias = "/var/www/munin/";
          extraConfig = "autoindex on;";
        };
	locations."/mpd" = {
          proxyPass = "http://${mpd_loc.address}:${toString mpd_loc.port}/";
	};
        locations."/dav" = {
          root = "/storage/srv/kj.orbekk.com";
          extraConfig = ''
            auth_basic webdav;
            # htpasswd -c /opt/secret/nginx-webdav.htpasswd
            dav_ext_methods PROPFIND OPTIONS;
            auth_basic_user_file "/opt/secret/nginx-webdav.htpasswd";
            dav_methods put delete mkcol copy move;
            dav_access user:rw group:rw all:rw;
            create_full_put_path on;
            autoindex on;
          '';
        };
        #locations."/systemd" = {
        #  proxyPass = "http://10.0.20.15:11105/";
        #};
        #locations."/hledger" = {
        #  extraConfig = ''return 302 /hledger/;'';
        #};
        # locations."/hledger/" = {
        #   proxyPass = "http://localhost:5000/";
        #   extraConfig = ''
        #     auth_basic "hledger";
        #     auth_basic_user_file /opt/site/hledger-htpasswd;
        #   '';
        # };
        locations."/_matrix" = {
          proxyPass = "http://10.0.20.15:11102";
        };
      };
      "ympd.orbekk.com" = template // {
        locations."/" = {
          proxyPass = "http://${mpdweb_loc.address}:${toString mpdweb_loc.port}/";
        };
      };
      "git.orbekk.com" = template // {
        locations."/".proxyPass = "http://10.0.20.2:11103";
      };
      "hydra.orbekk.com" = template // {
        locations."/" = {
          proxyPass = "http://10.0.20.2:11101";
        };
      };
      "kufieta.net" = template // {
        locations."/".proxyPass = "http://10.0.20.13:8080";
      };
      "journal.orbekk.com" = template // {
        locations."/".proxyPass = "http://localhost:${toString pjournal_loc.port}";
      };
    };
  };
}