{ config, lib, ... }:
with lib; let
  cfg = config.local.web;
  inherit (config.local) domains;
in
{
  options.local.web = {
    enable = mkEnableOption "web server";
  };

  config = mkIf cfg.enable {
    services.nginx = {
      enable = true;

      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;

      sslDhparam = config.security.dhparams.params.nginx.path;

      clientMaxBodySize = "42M";

      virtualHosts = {
        ${domains.host.www} = {
          serverAliases = [ domains.host.main ];
          useACMEHost = domains.host.main;
          forceSSL = true;
        };
      };
    };

    security = {
      acme.certs.${domains.host.main} = {
        inherit (config.services.nginx) group;
      };

      dhparams.params.nginx = { };
    };

    networking.firewall.allowedTCPPorts = [ 80 443 ];

    local.certs.host.enable = true;
  };
}