{ config, lib, pkgs, ... }:
{
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    appendHttpConfig = ''
      # This is a workaround to deal with closed connections on
      # large downloads.
      proxy_buffering off;
    '';
    virtualHosts = {
      "orbekk.com" = {
        enableACME = true;
        forceSSL = true;
        root = "/srv/www/orbekk";
      };
      "shape.orbekk.com" = {
        enableACME = true;
        forceSSL = true;
        root = "/srv/www/orbekk";
      };
      "kj.orbekk.com" = {
        enableACME = true;
        forceSSL = true;
        locations."/".proxyPass = "http://10.0.20.11:8011";
        locations."/hledger" = {
          extraConfig = ''return 302 /hledger/;'';
        };
        # locations."/hledger/" = {
        #   proxyPass = "http://localhost:5000/";
        #   extraConfig = ''
        #     auth_basic "hledger";
        #     auth_basic_user_file /opt/site/hledger-htpasswd;
        #   '';
        # };
        locations."/_matrix" = {
          proxyPass = "http://10.0.20.15:11102";
        };
      };
      "git.orbekk.com" = {
        enableACME = true;
        forceSSL = true;
        locations."/".proxyPass = "http://10.0.20.15:11103";
      };
      "hydra.orbekk.com" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://10.0.20.15:11101";
        };
      };
    };
  };
}