{config, ...}: let
  domain = config.services.nginx.domain;
in {
  services.tlaternet-webserver = {
    enable = true;
    listen = {
      addr = "127.0.0.1";
      port = 8000;
    };
  };

  # Set up SSL
  services.nginx.virtualHosts."${domain}" = let
    inherit (config.services.tlaternet-webserver.listen) addr port;
  in {
    serverAliases = ["www.${domain}"];

    forceSSL = true;
    enableACME = true;
    extraConfig = ''
      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
      access_log /var/log/nginx/${domain}/access.log upstream_time;
    '';

    locations."/".proxyPass = "http://${addr}:${toString port}";
  };
}