{ pkgs
, ...}: {
  services.nginx = {
    enable = true;

    # enable all recommended settings
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;

    virtualHosts = let
      mkRedirect = host: {
        locations."/".return = "307 https://${host}$request_uri";
        forceSSL = true;
        enableACME = true;
      };
    in {
      "_" = {
        rejectSSL = true;
        extraConfig = "return 444;";
      };

      "514fpv.one" = {
        root = pkgs.callPackage ./site { };
        forceSSL = true;
        enableACME = true;
      };

      "www.514fpv.one" = {
        globalRedirect = "514fpv.one";
        enableACME = true;
      };

      "uptime.514fpv.one" = {
        locations."/" = {
          proxyPass = "http://127.0.0.1:4000";
          proxyWebsockets = true;
        };
        forceSSL = true;
        enableACME = true;
      };

      # redirections to home server
      "src.514fpv.one" = mkRedirect "src.514fpv.io:2096";
      "cloud.514fpv.one" = mkRedirect "cloud.514fpv.io:2096";
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];
}