{
  flake.modules.nixos.nginx-ponthir-taekwondo =
    { config, ... }:
    let
      domain = "ponthirtaekwondo.co.uk";
      port = 9099;
    in
    {
      security.acme = {
        acceptTerms = true;

        certs.${domain} = {
          dnsProvider = "cloudflare";
          domain = "${domain}";
          email = "oliver@oliverdavies.uk";
          environmentFile = config.age.secrets.cloudflare.path;
          extraDomainNames = [ "www.${domain}" ];
          webroot = null;
        };
      };

      services.nginx = {
        enable = true;

        virtualHosts."www.${domain}" = {
          root = "/var/www/vhosts/${domain}";

          listen = [
            {
              inherit port;

              addr = "localhost";
            }
          ];

          locations."/".tryFiles = "$uri $uri.html $uri/index.html =404";

          extraConfig = ''
            port_in_redirect off;

            # Remove trailing slashes.
            rewrite ^/(.*)/$ /$1 permanent;
          '';
        };
      };

      services.cloudflared = {
        enable = true;

        tunnels."c1537889-81ac-4d41-b80d-9657f8db30c7" = {
          credentialsFile = config.age.secrets.cloudflared.path;
          default = "http_status:404";
          ingress."www.${domain}" = "http://localhost:${toString port}";
        };
      };
    };
}