{ config, pkgs, ... }:

{
  systemd.services.createNginxDH = rec {
    path = [ pkgs.openssl ];
    serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; };
    wantedBy = [ "nginx.service" ];
    before = wantedBy;
    script = ''
      if [ ! -f /etc/nginx/dhparam.pem ]; then
        mkdir -p /etc/nginx/
        openssl dhparam 2048 >/etc/nginx/dhparam.pem
      fi
    '';
  };

  services.nginx = {
    enable = true;

    recommendedTlsSettings = true;
    recommendedOptimisation = true;

    sslDhparam = "/etc/nginx/dhparam.pem";

    virtualHosts."_" = {
      default = true;
      addSSL = true;
      useACMEHost = "gebner.org";
      globalRedirect = "gebner.org";
    };
  };

  # TODO: acme certificates are owned by root
  # This workaround is from https://github.com/NixOS/nixpkgs/pull/84960
  services.nginx.appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};'';
  systemd.services.nginx.serviceConfig.User = pkgs.lib.mkForce "root";
}