{ pkgs, config, ... }:
let
  ikiwikiDataPath = "/mnt/data/ikiwiki";
in
{
  services.nginx = {
    enable = true;
    virtualHosts."fi.nekover.se" = {
      forceSSL = true;
      enableACME = true;
      listen = [
        {
          addr = "0.0.0.0";
          port = 80;
        }
        {
          addr = "0.0.0.0";
          port = 8443;
          ssl = true;
          extraParameters = [ "proxy_protocol" ];
        }
      ];
      root = "${ikiwikiDataPath}/public_html/fi-zone";
      locations = {
        "/" = {
          tryFiles = "$uri $uri/ =404";
        };
        "~ .cgi" = {
          basicAuthFile = "/secrets/ikiwiki-auth-file.secret";
          extraConfig = ''
            gzip off;
            fastcgi_pass unix:${config.services.fcgiwrap.instances."ikiwiki".socket.address};
            fastcgi_index ikiwiki.cgi;
            fastcgi_param SCRIPT_FILENAME ${ikiwikiDataPath}/public_html/fi-zone/ikiwiki.cgi;
            fastcgi_param DOCUMENT_ROOT ${ikiwikiDataPath}/public_html/fi-zone;
            fastcgi_param REMOTE_USER $remote_user if_not_empty;
            include ${pkgs.nginx}/conf/fastcgi_params;
          '';
        };
      };
      extraConfig = ''
        set_real_ip_from 10.202.41.100;
        real_ip_header proxy_protocol;
      '';
    };
  };
}