{
  config,
  lib,
  pkgs,
  ...
}:

{

  options.zpha.profiles.nginx.enable = lib.mkEnableOption "nginx";

  config = lib.mkIf config.zpha.profiles.nginx.enable {
    common.configure.persist.system.dirs = [ "/var/lib/acme" ];

    sops.secrets.acmeTSIGKey = { };

    security.acme = {
      acceptTerms = true;
      defaults = {
        email = "letsencrypt@zaphyra.eu";
        keyType = "ec384";
        dnsProvider = "rfc2136";
        environmentFile = pkgs.writeText "acme-dns-env" ''
          RFC2136_NAMESERVER=ns1.fc9f.de
          RFC2136_TSIG_KEY=acme-nix-${config.networking.hostName}
          RFC2136_TSIG_ALGORITHM=hmac-sha384
        '';
        credentialFiles = {
          RFC2136_TSIG_SECRET_FILE = config.sops.secrets.acmeTSIGKey.path;
        };
      };
      certs."${config.networking.fqdn}" = {
        group = lib.mkIf config.services.nginx.enable "nginx";
        extraDomainNames = lib.pipe config.services.nginx.virtualHosts [
          (lib.mapAttrsToList (
            key: config: [
              (config.serverAliases or [ ])
              key
            ]
          ))
          lib.flatten
          (lib.remove config.networking.fqdn)
          (lib.filter (domain: !(lib.hasSuffix "dn42" domain)))
        ];
      };
    };

    services.nginx = {
      enable = lib.mkDefault true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      commonHttpConfig = ''
        server_names_hash_bucket_size 64;
        charset utf-8;

        access_log off;
      '';

      virtualHosts."${config.networking.fqdn}" = {
        useACMEHost = "${config.networking.fqdn}";
        forceSSL = true;
        kTLS = true;
        default = true;
      };
    };

    networking.firewall.allowedTCPPorts = [
      80
      443
    ];
  };

}