{ config, lib, pkgs, ... }: let 
  inherit (lib) mkDefault;
in {
  kyouma.deployment.tags = [ "web" ];
  security.dhparams.enable = true;
  security.dhparams.params.nginx = {};
  security.acme = {
    acceptTerms = true;
    defaults = {
      keyType = "ec256";
      email = "noc@kyouma.net";
    };
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  networking.firewall.allowedUDPPorts = [ 443 ];
  services.nginx = {
    enable = true;
    package = mkDefault pkgs.nginxQuic;
    
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
    sslProtocols = mkDefault "TLSv1.3";
    sslDhparam = config.security.dhparams.params.nginx.path;

    clientMaxBodySize = mkDefault "128M";
    commonHttpConfig = ''
      map $scheme $hsts_header {
        https   "max-age=31536000; includeSubdomains; preload";
      }
      add_header Strict-Transport-Security 	$hsts_header;
      add_header X-Content-Type-Options 	  "nosniff" always;
      add_header X-XSS-Protection 		      "1; mode=block" always;
      add_header X-Frame-Options 		        "SAMEORIGIN" always;
      add_header Referrer-Policy 		        "same-origin" always;
      add_header Alt-Svc                    'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
      #add_header Content-Security-Policy    "script-src 'self'; object-src 'none'; base-uri 'none';" always;
    '';
    eventsConfig = ''
      multi_accept on;
    '';
    appendConfig = ''
      worker_processes auto;
    '';
  };
}