{ config, ... }:
{
  services.nginx = {
    enable = true;

    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    commonHttpConfig = ''
      error_log stderr;
      access_log /var/log/nginx/access.log;
    '';

    virtualHosts =
      let
        matchAll = ''~.*'';
        matchWww = ''~^www\.(?<domain>.+)$'';
      in
      {
        # Redirect anything that doesn't match any server name to networking.domain
        ${matchAll} = {
          default = true;
          rejectSSL = true;

          globalRedirect = config.networking.domain;
        };
        # Redirect www to non-www
        ${matchWww}.globalRedirect = "$domain";
      };
  };
}