{ pkgs, lib, ... }: 
let 
  extraConfig = ''
    add_header Strict-Transport-Security 	$hsts_header;
    #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
    add_header X-Content-Type-Options 	"nosniff" always;
    add_header X-XSS-Protection 		"1; mode=block" always;
    add_header X-Frame-Options 		"SAMEORIGIN" always;
    add_header Referrer-Policy 		"same-origin" always;
  '';
  virtHostCfg = {
    forceSSL = true;
    http3 = true;
    quic = true; 
  };
  mkRedirect = domain: virtHostCfg // {
    useACMEHost = domain;
    globalRedirect = domain;
    inherit extraConfig;
  };
  mkHost = webroot: virtHostCfg // {
    enableACME = true;
    root = webroot;
    inherit extraConfig;
  };
in { 
  services.nginx = {
    package = pkgs.nginxQuic;
    enable = true;
    
    recommendedOptimisation = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
    sslProtocols = "TLSv1.3";
    clientMaxBodySize = "0";
    
    appendHttpConfig = ''
      map $scheme $hsts_header {
          https   "max-age=31536000; includeSubdomains; preload";
      }
      ${extraConfig}
    '';

    virtualHosts."redirect" = virtHostCfg // {
      serverName = null;
      default = true;
      reuseport = true;
      useACMEHost = "miau.zip";
      extraConfig = ''
        return 403;
        ${extraConfig}
      '';
    };

    virtualHosts = {
      "miau.zip" = (mkHost "/var/www/kyouma.net");
      "www.miau.zip" = (mkRedirect "miau.zip");
    };
  };
  security.acme = {
    acceptTerms = true;
    defaults = {
      keyType = "ec384";
      email = "noc@kyouma.net";
    };
    certs."miau.zip" = {
      extraDomainNames = [ "www.miau.zip" "lg.miau.zip" ];
    };
  };
}