{config, ...}: let
  customDomain = config.customOps.domain;
in {
  imports = [./captiveportal.nix];

  networking.firewall.allowedTCPPorts = [80 443];

  services.nginx = {
    enable = true;

    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedUwsgiSettings = true;
    recommendedProxySettings = true;
    recommendedBrotliSettings = true;

    appendHttpConfig = ''
      add_header_inherit merge;
      add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
      add_header 'Referrer-Policy' 'origin-when-cross-origin';
      add_header X-Frame-Options DENY;
      add_header X-Content-Type-Options nosniff;
    '';

    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

    virtualHosts.${customDomain} = {
      default = true;
      root = "/var/www/${customDomain}";
      forceSSL = true;
      enableACME = true;
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "security@${config.mailserver.fqdn}";
  };
}