{
  pkgs,
  mkWwwContentStaging,
  mkWwwContentProduction,
  ...
}:
{
  security.acme = {
    acceptTerms = true;
    defaults.email = "acme@zerforschen.plus";
  };

  security.pam.services.nginx.setEnvironment = false;
  systemd.services.nginx.serviceConfig = {
    SupplementaryGroups = [ "shadow" ];
  };

  services.nginx = {
    enable = true;
    additionalModules = [ pkgs.nginxModules.pam ];

    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;

    virtualHosts = {
      "staging.cccb.zerforschen.plus" = {
        addSSL = true;
        enableACME = true;
        root = mkWwwContentStaging {
          domain = "staging.cccb.zerforschen.plus";
          inherit (pkgs) system;
        };
      };
      "production.cccb.zerforschen.plus" = {
        addSSL = true;
        enableACME = true;
        root = mkWwwContentProduction {
          domain = "production.cccb.zerforschen.plus";
          inherit (pkgs) system;
        };
      };
    };
  };

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
}