{ pkgs, lib, ... }:
let
  access_log_sink = "workhorse.private:12304";
  error_log_sink = "workhorse.private:12305";
in
{

  security.acme.email = "contact@ingolf-wagner.de";
  security.acme.acceptTerms = true;

  services.nginx = {

    # Use recommended settings
    recommendedGzipSettings = lib.mkDefault true;
    recommendedOptimisation = lib.mkDefault true;
    recommendedProxySettings = lib.mkDefault true;
    recommendedTlsSettings = lib.mkDefault true;

    # for graylog logging
    commonHttpConfig = ''
      log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", '
        '"facility": "nginx", '
        '"src_addr": "$remote_addr", '
        '"body_bytes_sent": $body_bytes_sent, '
        '"request_time": $request_time, '
        '"response_status": $status, '
        '"request": "$request", '
        '"request_method": "$request_method", '
        '"host": "$host",'
        '"upstream_cache_status": "$upstream_cache_status",'
        '"upstream_addr": "$upstream_addr",'
        '"http_x_forwarded_for": "$http_x_forwarded_for",'
        '"http_referrer": "$http_referer", '
        '"http_user_agent": "$http_user_agent" }';
      access_log syslog:server=${access_log_sink} graylog2_json;
      error_log syslog:server=${error_log_sink};
    '';
  };

  services.nginx.package = pkgs.nginxMainline;
}