{ pkgs, lib, ... }:

let
  snakeOilCa = pkgs.runCommand "snakeoil-ca" {
    buildInputs = [ pkgs.openssl ];
  } ''
    mkdir "$out"
    openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 \
      -subj '/CN=Snakeoil CA' -nodes \
      -out "$out/ca.pem" -keyout "$out/ca.key"
  '';
in {
  services.nginx = {
    enable = true;

    recommendedOptimisation = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    # recommendedBrotliSettings = true;
    recommendedProxySettings = true;

    # only allow PFS-enabled ciphers with AES256
    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

    # disable access logs
    commonHttpConfig= ''
      access_log off;
    '';

    # setup a default site
    virtualHosts.default = {
      default = lib.mkDefault true;
      addSSL = true;

      sslCertificateKey = "${snakeOilCa}/ca.key";
      sslCertificate = "${snakeOilCa}/ca.pem";

      root = pkgs.writeTextDir "index.html" ''
        <html>
          <head>
            <title>Nothing to see</title>
          </head>
          <body>
            <p>Like I said, nothing to see here</p>
          </body>
        </html>
      '';
    };
  };

  networking.firewall = {
    allowedTCPPorts = [80 443];
    allowedUDPPorts = [443];
  };
}