{config, ...}: let
  domain = config.customOps.domain;
in {
  services.nginx.virtualHosts."cpcheck.${domain}" = {
    extraConfig = ''
      access_log off;
      error_log off;

      add_header Content-Security-Policy "default-src 'none'";
      add_header 'Referrer-Policy' 'same-origin';
      add_header X-Frame-Options DENY;
      add_header X-Content-Type-Options nosniff;
    '';
    locations."/".return = 204;
    forceSSL = false;
    addSSL = true;
    enableACME = true;
  };
}