{
  pkgs,
  config,
  lib,
  flake-inputs,
  ...
}:
let
  inherit (config.services.nginx) domain;
in
{
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  systemd.services.tlaternet-webserver = {
    description = "tlater.net webserver";
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];

    script = ''
      ${lib.getExe flake-inputs.self.packages.${pkgs.system}.webserver}
    '';

    environment = {
      TLATERNET_NTFY_INSTANCE = "https://tlater.net";
      LEPTOS_SITE_ADDR = "127.0.0.1:8000";
    };

    serviceConfig = {
      Type = "exec";
      LoadCredential = "ntfy-topic:/run/secrets/tlaternet/ntfy-topic";

      DynamicUser = true;
      ProtectHome = true; # Override the default (read-only)
      PrivateDevices = true;
      PrivateIPC = true;
      PrivateUsers = true;
      ProtectHostname = true;
      ProtectClock = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectKernelLogs = true;
      ProtectControlGroups = true;
      RestrictAddressFamilies = [
        "AF_UNIX"
        "AF_INET"
        "AF_INET6"
      ];
      RestrictNamespaces = true;
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
        "~@privileged @resources @setuid @keyring"
      ];
    };
  };

  # Set up SSL
  services.nginx.virtualHosts."${domain}" =
    let
      inherit (config.services.tlaternet-webserver.listen) addr port;
    in
    {
      serverAliases = [ "www.${domain}" ];

      forceSSL = true;
      useACMEHost = "tlater.net";
      enableHSTS = true;

      locations."/".proxyPass =
        "http://${config.systemd.services.tlaternet-webserver.environment.LEPTOS_SITE_ADDR}";
    };

  sops.secrets = {
    "tlaternet/ntfy-topic" = { };
  };
}