{
  pkgs,
  lib,
  config,
  adminUser,
  ...
}:
let
  httpHost = "10.100.0.60";
  mkWebfinger = config: file: pkgs.writeTextDir file (lib.generators.toJSON { } config);
  mkWebfingers =
    { subject, ... }@config:
    map (mkWebfinger config) [
      subject
      (lib.escapeURL subject)
    ];
  webfingerRoot = pkgs.symlinkJoin {
    name = "felschr.com-webfinger";
    paths = lib.flatten (
      builtins.map mkWebfingers [
        {
          subject = "acct:franck@fcuny.net";
          links = [
            {
              rel = "http://openid.net/specs/connect/1.0/issuer";
              href = "https://auth.fcuny.net";
            }
          ];
        }
      ]
    );
  };
in
{
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  security.acme.acceptTerms = true;
  security.acme.defaults = {
    email = "franck@fcuny.net";
    dnsResolver = "1.1.1.1:53";
    dnsProvider = "cloudflare";
    credentialsFile = config.age.secrets.acme-cloudflare-env.path;
  };

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedTlsSettings = true;
    commonHttpConfig = ''
      # limit clients doing too many requests
      # can be tested with ab -n 20 -c 10 <host>
      limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=10r/s;

      # limit clients opening too many connections
      limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
    '';
    virtualHosts = {
      "code.fcuny.net" = {
        enableACME = true;
        acmeRoot = null;
        forceSSL = true;
        locations."/".proxyPass = "http://${httpHost}";
      };
      "auth.fcuny.net" = {
        enableACME = true;
        acmeRoot = null;
        forceSSL = true;
        locations."/".proxyPass = "http://${httpHost}:9092";
      };
      "reader.fcuny.net" = {
        enableACME = true;
        acmeRoot = null;
        forceSSL = true;
        locations."/".proxyPass = "http://${httpHost}:8002";
      };
      "dash.fcuny.net" = {
        enableACME = true;
        acmeRoot = null;
        forceSSL = true;
        locations."/".proxyPass = "http://${httpHost}:3000";
      };
      "fcuny.net" = {
        enableACME = true;
        acmeRoot = null;
        forceSSL = true;
        locations."/".proxyPass = "http://${httpHost}:8070";
        locations."/ssh.pub" = {
          extraConfig = ''
            add_header Content-Type "text/plain; charset=utf-8";
            add_header Content-Disposition "inline";
            add_header Cache-Control "public, max-age=3600";
            return 200 "${
              lib.concatStringsSep "\\n" (
                with adminUser.userinfo.sshPublicKeys;
                [
                  yubikey-personal-nano
                  yubikey-personal-keychain
                  yubikey-personal-backup
                ]
              )
            }\n";
          '';
        };
        locations."/.well-known/webfinger" = {
          root = webfingerRoot;
          extraConfig = ''
            add_header Access-Control-Allow-Origin "*";
            default_type "application/jrd+json";
            types { application/jrd+json json; }
            if ($arg_resource) {
              rewrite ^(.*)$ /$arg_resource break;
            }
          '';
        };
      };
    };
  };
}