{ config, pkgs, ...}: {
  services.nginx.enable = true;
  services.nginx.defaultListenAddresses = [ "104.168.211.198" ];
  services.nginx.recommendedProxySettings = true;
  services.nginx.appendHttpConfig = ''
    types {
      text/plain wat;
      text/plain glsl;
    }
  '';

  services.nginx.virtualHosts."static.tempest.dev" = {
    root = "/var/www/static";
    forceSSL = true;
    enableACME = true;

    locations."/" = {
      extraConfig = ''
        if ($request_method = GET) {
          add_header Access-Control-Allow-Origin *;
          add_header Access-Control-Allow-Credentials true;
          add_header Access-Control-Allow-Methods "GET, OPTIONS";
          add_header Access-Control-Allow-Headers "origin, accept, range";
        }

        if ($request_method = OPTIONS ) {
          add_header Access-Control-Allow-Origin *;
          add_header Access-Control-Allow-Credentials true;
          add_header Access-Control-Allow-Methods "GET, OPTIONS";
          add_header Access-Control-Allow-Headers "origin, accept, range";
          add_header Content-Length 0;
          add_header Content-Type text/plain;
          return 204;
        }
      '';
    };
  };
}