{
  config,
  pkgs,
  ...
}: let
  customDomain = config.customOps.domain.fqdn;
in {
  imports = [
    ./captiveportal.nix
    ./tor-snowflake.nix
    ./aur.nix
  ];

  networking.firewall.allowedTCPPorts = [80 443];

  services.nginx = {
    enable = true;
    package = pkgs.nginx.override {
      modules = [
        pkgs.nginxModules.moreheaders
        pkgs.nginxModules.brotli
      ];
    };

    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedUwsgiSettings = true;
    recommendedProxySettings = true;
    recommendedBrotliSettings = true;

    sslCiphers = "EECDH+AESGCM:EECDH+CHACHA20:EDH+AESGCM:EDH+CHACHA20:AES256+EECDH:AES256+EDH:!aNULL";

    appendHttpConfig = ''
      ssl_prefer_server_ciphers on;
      map $scheme $hsts_header {
          https   "max-age=31536000; includeSubdomains; preload";
      }
      more_set_headers 'Strict-Transport-Security: $hsts_header';
      more_set_headers 'Content-Security-Policy: upgrade-insecure-requests';
      more_set_headers 'Referrer-Policy: origin-when-cross-origin';
      more_set_headers 'X-Frame-Options: DENY';
      more_set_headers 'X-Content-Type-Options: nosniff';
      more_set_headers 'X-XSS-Protection: 0';
    '';

    virtualHosts.${customDomain} = {
      default = true;
      root = "/var/www/${customDomain}";
      forceSSL = true;
      enableACME = true;
    };
  };

  services.phpfpm.pools.mypool = {
    user = "nobody";
    settings = {
      "pm" = "dynamic";
      "listen.owner" = config.services.nginx.user;
      "pm.max_children" = 75;
      "pm.start_servers" = 10;
      "pm.min_spare_servers" = 5;
      "pm.max_spare_servers" = 20;
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "security@${config.mailserver.fqdn}";
  };
}