{ config, pkgs, ... }:

{
  systemd.services.createNginxDH = {
    path = [ pkgs.openssl ];
    serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; };
    wantedBy = [ "nginx.service" ];
    script = ''
      if [ ! -f /etc/nginx/dhparam.pem ]; then
        mkdir -p /etc/nginx/
        openssl dhparam 2048 >/etc/nginx/dhparam.pem
      fi
    '';
  };

  services.nginx = {
    enable = true;
    httpConfig = ''
      server {
        listen [::]:80;
        listen 80;
        server_name _;

        location /.well-known/acme-challenge {
          default_type text/plain;
          alias /etc/sslcerts/acmeroot/.well-known/acme-challenge;
        }

        location / {
          rewrite ^(.*) https://gebner.org$1 permanent;
        }
      }
    '';
  };
}