{
  pkgs,
  ...
}:
{
  services.nginx = {
    enable = true;

    # enable all recommended settings
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;

    virtualHosts =
      let
        mkRedirect = host: {
          locations."/".return = "307 https://${host}$request_uri";
          forceSSL = true;
          enableACME = true;
        };
      in
      {
        "_" = {
          rejectSSL = true;
          extraConfig = "return 444;";
        };

        "514fpv.one" = {
          root = pkgs.callPackage ./site { };
          forceSSL = true;
          enableACME = true;
        };

        "www.514fpv.one" = {
          globalRedirect = "514fpv.one";
          enableACME = true;
        };

        "uptime.514fpv.one" = {
          locations."/" = {
            proxyPass = "http://127.0.0.1:4000";
            proxyWebsockets = true;
          };
          forceSSL = true;
          enableACME = true;
        };

        # redirections to home server
        "src.514fpv.one" = mkRedirect "src.514fpv.io:2096";
        "cloud.514fpv.one" = mkRedirect "cloud.514fpv.io:2096";
      };
  };

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
}