{
  config,
  pkgs,
  lib,
  ...
}:
{
  options = {
    services.nginx.domain = lib.mkOption {
      type = lib.types.str;
      description = "The base domain name to append to virtual domain names";
    };

    services.nginx.virtualHosts =
      let
        extraVirtualHostOptions =
          { name, config, ... }:
          {
            options = {
              enableHSTS = lib.mkEnableOption "Enable HSTS";

              addAccessLog = lib.mkOption {
                type = lib.types.bool;
                default = true;
                description = ''
                  Add special logging to `/var/log/nginx/''${serverName}`
                '';
              };
            };

            config = {
              extraConfig = lib.concatStringsSep "\n" [
                (lib.optionalString config.enableHSTS ''
                  add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
                '')
                (lib.optionalString config.addAccessLog ''
                  access_log /var/log/nginx/${name}/access.log upstream_time;
                '')
              ];
            };
          };
      in
      lib.mkOption { type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions); };
  };

  config = {
    # Don't attempt to run acme if the domain name is not tlater.net
    systemd.services =
      let
        confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
      in
      lib.mapAttrs' (
        cert: _:
        lib.nameValuePair "acme-${cert}" {
          serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
        }
      ) config.security.acme.certs;
  };
}