{ pkgs, ... }:

let
  eh09 = pkgs.fetchgit {
    url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2009-website.git";
    rev = "6d4a50c5ab23870072f0b33dd0171b0c56d6cab5";
    hash = "sha256-kPJOrKseJD/scRxhYFa249DT1cYmeCjnK50Bt0IJZK8=";
  };
in
{
  security.acme.certs."eh09.easterhegg.eu".extraDomainNames = [
    "eh2009.hamburg.ccc.de"
    "www.eh2009.hamburg.ccc.de"
    "eh09.hamburg.ccc.de"
    "www.eh09.hamburg.ccc.de"
    "easterhegg2009.hamburg.ccc.de"
    "www.easterhegg2009.hamburg.ccc.de"
  ];

  services.nginx.virtualHosts = {
    "acme-eh09.easterhegg.eu" = {
      enableACME = true;
      serverName = "eh09.easterhegg.eu";
      serverAliases = [
        "eh2009.hamburg.ccc.de"
        "www.eh2009.hamburg.ccc.de"
        "eh09.hamburg.ccc.de"
        "www.eh09.hamburg.ccc.de"
        "easterhegg2009.hamburg.ccc.de"
        "www.easterhegg2009.hamburg.ccc.de"
      ];
      listen = [{
        addr = "0.0.0.0";
        port = 31820;
      }];
    };

    "easterhegg2009.hamburg.ccc.de" = {
      forceSSL = true;
      useACMEHost = "eh09.easterhegg.eu";
      serverAliases = [
        "eh2009.hamburg.ccc.de"
        "www.eh2009.hamburg.ccc.de"
        "eh09.hamburg.ccc.de"
        "www.eh09.hamburg.ccc.de"
        "www.easterhegg2009.hamburg.ccc.de"
      ];

      listen = [{
        addr = "0.0.0.0";
        port = 8443;
        ssl = true;
        proxyProtocol = true;
      }];

      locations."/".return = "302 https://eh09.easterhegg.eu";
      
      extraConfig = ''
        # Make use of the ngx_http_realip_module to set the $remote_addr and
        # $remote_port to the client address and client port, when using proxy
        # protocol.
        # First set our proxy protocol proxy as trusted.
        set_real_ip_from 172.31.17.140;
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;
      '';
    };

    "eh09.easterhegg.eu" = {
      forceSSL = true;
      useACMEHost = "eh09.easterhegg.eu";

      listen = [{
        addr = "0.0.0.0";
        port = 8443;
        ssl = true;
        proxyProtocol = true;
      }];

      locations."/" = {
        index = "index.shtml";
        root = eh09;
        extraConfig = ''
          # Set default_type to html 
          default_type text/html;
          # Enable SSI
          ssi on;
        ''; 
      };
      extraConfig = ''
        # Make use of the ngx_http_realip_module to set the $remote_addr and
        # $remote_port to the client address and client port, when using proxy
        # protocol.
        # First set our proxy protocol proxy as trusted.
        set_real_ip_from 172.31.17.140;
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;
        # Enable SSI
        ssi on;
      '';
    };
  };
}