{ config, pkgs, ...}: {
  services.nginx.enable = true;
  services.nginx.defaultListen = [{
    addr = "127.0.0.1";
    port = 443;
    ssl = true;
    proxyProtocol = true;
  }{
    addr = "0.0.0.0";
    port = 80;
    ssl = false;
  }];
  services.nginx.recommendedProxySettings = true;
  services.nginx.appendHttpConfig = ''
    set_real_ip_from 127.0.0.1;
    real_ip_header proxy_protocol;
    types {
      text/plain wat;
      text/plain glsl;
    }
  '';

  services.nginx.virtualHosts."static.tempest.dev" = {
    root = "/var/www/static";
    forceSSL = true;
    enableACME = true;

    locations."/" = {
      extraConfig = ''
        if ($request_method = GET) {
          add_header Access-Control-Allow-Origin *;
          add_header Access-Control-Allow-Credentials true;
          add_header Access-Control-Allow-Methods "GET, OPTIONS";
          add_header Access-Control-Allow-Headers "origin, accept, range";
        }

        if ($request_method = OPTIONS ) {
          add_header Access-Control-Allow-Origin *;
          add_header Access-Control-Allow-Credentials true;
          add_header Access-Control-Allow-Methods "GET, OPTIONS";
          add_header Access-Control-Allow-Headers "origin, accept, range";
          add_header Content-Length 0;
          add_header Content-Type text/plain;
          return 204;
        }
      '';
    };
  };
}