{ config, pkgs, lib, ... }:

let
  domain = config.networking.shortDomain;
in {
  services.nginx.virtualHosts.${domain} = {
    listenAll = true;

    addSSL = true;
    enableACME = true;

    locations."/".extraConfig = ''
      limit_except GET { deny all; }

      rewrite ^/$ /paste/index.html break;
      rewrite ^(/[^\s]+)$ /paste$1 break;

      client_max_body_size 0;
      proxy_buffering off;
      proxy_hide_header "X-Amz-Request-Id";
      proxy_hide_header "X-Amz-Bucket-Region";
      proxy_hide_header "X-Minio-Deployment-Id";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header Accept-Encoding "";

      proxy_pass http://127.0.0.1:7000;
    '';
  };
}