{ config, ... }:
{
  services = {
    nginx = {
      enable = true;
      logError = "syslog:server=unix:/dev/log warn";
      # recommendedTlsSettings = true;
      # recommendedGzipSettings = true;
      # recommendedProxySettings = true;
      # recommendedOptimisation = true;
      virtualHosts = {
        "vw.sadan.zip" = {
          forceSSL = true;
          useACMEHost = "sadan.zip";
          locations = {
            "/" = {
              proxyPass = "http://localhost:3231";
            };
          };
        };
      };
    };
    adguardhome = {
      port = 3115;
      enable = true;
    };
  };
  networking = {
    firewall = {
      enable = true;
    };
  };
  sops = {
    secrets = {
      cloudflare_env = {
        format = "dotenv";
        sopsFile = ./cloudflare.env;
      };
    };
  };
  security = {
    acme = {
      certs = {
        "sadan.zip" = {
          dnsProvider = "cloudflare";
          email = "certs@sadan.zip";
          environmentFile = config.sops.secrets.cloudflare_env.path;
          group = "nginx";
        };
      };
      defaults = {
        # If the local dns server hasnt started yet, then this will fail for any domain configured with tailscale magic dns
        dnsResolver = "1.1.1.1:53";
      };
      acceptTerms = true;
    };
  };
}