{ pkgs, lib, ... }:
let
  access_log_sink = "workhorse.private:12304";
  error_log_sink = "workhorse.private:12305";
in
{

  security.acme.defaults.email = "contact@ingolf-wagner.de";
  security.acme.acceptTerms = true;

  services.nginx = {

    # Use recommended settings
    recommendedGzipSettings = lib.mkDefault true;
    recommendedOptimisation = lib.mkDefault true;
    recommendedProxySettings = lib.mkDefault true;
    recommendedTlsSettings = lib.mkDefault true;

    # for graylog logging
    #commonHttpConfig = ''
    #  log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", '
    #    '"facility": "nginx", '
    #    '"src_addr": "$remote_addr", '
    #    '"body_bytes_sent": $body_bytes_sent, '
    #    '"request_time": $request_time, '
    #    '"response_status": $status, '
    #    '"request": "$request", '
    #    '"request_method": "$request_method", '
    #    '"host": "$host",'
    #    '"upstream_cache_status": "$upstream_cache_status",'
    #    '"upstream_addr": "$upstream_addr",'
    #    '"http_x_forwarded_for": "$http_x_forwarded_for",'
    #    '"http_referrer": "$http_referer", '
    #    '"http_user_agent": "$http_user_agent" }';
    #  access_log syslog:server=${access_log_sink} graylog2_json;
    #  error_log syslog:server=${error_log_sink};
    #'';
  };

  services.nginx.package = pkgs.nginxMainline;
}