{ config, lib, ... }: let
  cfg = config.kyouma.nginx;
  extraConfig = ''
    add_header Strict-Transport-Security 	$hsts_header;
    #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
    add_header X-Content-Type-Options 	"nosniff" always;
    add_header X-XSS-Protection 		"1; mode=block" always;
    add_header X-Frame-Options 		"SAMEORIGIN" always;
    add_header Referrer-Policy 		"same-origin" always;
  '';
  createHost = vhostName: vhostCfg: {
    extraConfig = (lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) vhostCfg.extraConfig) + "\n" + extraConfig;
    forceSSL = true;
    #kTLS = true;
    #http3 = true;
    #quic = true; 
  } //
  lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {
    enableACME = true;
  } //
  lib.optionalAttrs (builtins.hasAttr "redirectTo" vhostCfg) {
    enableACME = false;
    useACMEHost = vhostCfg.redirectTo;
    globalRedirect = vhostCfg.redirectTo;
  } //
  (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]);

in {
  options = {
    kyouma.nginx.virtualHosts = lib.mkOption {
      type = with lib.types; nullOr anything;
      default = null;
    };
    kyouma.nginx.defaultForbidden = lib.mkOption {
      type = with lib.types; nullOr str;
      default = null;
    };
  };
  config = {
    services.nginx.virtualHosts = lib.optionalAttrs (cfg.virtualHosts != null) (
      builtins.mapAttrs (createHost) cfg.virtualHosts) //
      lib.optionalAttrs (cfg.defaultForbidden != null) {
        "redirect" = {
          default = true;
          forceSSL = true;
          reuseport = true;
          useACMEHost = cfg.defaultForbidden;
          extraConfig = ''
            return 403;
          '';
        };
      };
  };
}