{ config, lib, ... }:
with lib; let
  cfg = config.local.web;
  inherit (config.local) domains;
in
{
  options.local.web = {
    enable = mkEnableOption "web server";

    ownedCerts = mkOption {
      type = with lib.types; listOf str;
      default = [ ];
    };
  };

  config = mkIf cfg.enable {
    services.nginx = {
      enable = true;

      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;

      sslDhparam = config.security.dhparams.params.nginx.path;

      clientMaxBodySize = "42M";

      virtualHosts = { };
    };

    local.certs = listToAttrs (map
      (name: {
        inherit name;
        value.enable = true;
      })
      cfg.ownedCerts);

    networking.firewall.allowedTCPPorts = [ 80 443 ];

    security = {
      acme.certs = listToAttrs (map
        (name: {
          name = domains.${name}.main;
          value = {
            group = mkDefault config.services.nginx.group;
          };
        })
        cfg.ownedCerts);

      dhparams.params.nginx = { };
    };
  };
}