{ pkgs, ... }:

let
  eh07 = builtins.fetchGit {
    url = "forgejo@git.hamburg.ccc.de:CCCHH/easterhegg-2007-website.git";
    ref = "main";
    rev = "50cd064c6329a38ad2e9c1a4a8d4b37abd171b53";
  };
in
{
  services.nginx.virtualHosts = {
    "acme-eh07.easterhegg.eu" = {
      enableACME = true;
      serverName = "eh07.easterhegg.eu";

      listen = [
        {
          addr = "0.0.0.0";
          port = 31820;
        }
      ];
    };

    "eh07.easterhegg.eu" = {
      forceSSL = true;
      useACMEHost = "eh07.easterhegg.eu";

      listen = [
        {
          addr = "0.0.0.0";
          port = 8443;
          ssl = true;
          proxyProtocol = true;
        }
      ];

      root = pkgs.buildEnv {
        name = "eh07";
        paths = [
          eh07
        ];
      };

      extraConfig = ''
        # Make use of the ngx_http_realip_module to set the $remote_addr and
        # $remote_port to the client address and client port, when using proxy
        # protocol.
        # First set our proxy protocol proxy as trusted.
        set_real_ip_from 172.31.17.140;
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;
      '';
    };
  };
}