{ ... }:
{
  services.nginx.virtualHosts."nekover.se" = {
    forceSSL = true;
    enableACME = true;
    listen = [
      { 
        addr = "localhost";
        port = 1234;
      } # workaround for enableACME check
      {
        addr = "localhost";
        port = 8443;
        ssl = true;
        proxyProtocol = true;
      }
    ];
    locations."/.well-known/matrix/server" = {
      return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'";
      extraConfig = ''
        add_header Content-Type application/json;
      '';
    };
    locations."/.well-known/matrix/client" = {
      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}}'";
      extraConfig = ''
        default_type application/json;
        add_header Access-Control-Allow-Origin *;
      '';
    };
    extraConfig = ''
      set_real_ip_from 127.0.0.1;
      real_ip_header proxy_protocol;
    '';
  };
}