{ config, pkgs, ... }:

{
  users.users.nginx.extraGroups = [ "acme" ];

  services = {
    nginx = {
      enable = true;
      resolver.addresses = [
        "[2606:4700:4700::1111]"
        "[2620:fe::fe]"
        "1.1.1.1"
        "9.9.9.9"
      ];
      statusPage = true; # http://127.0.0.1/nginx_status
      sslProtocols = "TLSv1.3";
      recommendedTlsSettings = true;
      recommendedOptimisation = true;
      recommendedGzipSettings = true;
      recommendedBrotliSettings = true;
    };
    prometheus.exporters.nginx = {
      enable = true;
      firewallRules = config.services.prometheus.exporters.node.firewallRules;
      openFirewall = true;
    };
  };
}