{pkgs, ...}: {
  imports = [
    ./vcnotifier.nix
    # ./nodemusicbot.nix
    ./breeze.nix
    ./min-rip.nix
    ./gitea.nix
    ./synapse.nix
    ./nebula.nix
  ];

  security.acme = {
    acceptTerms = true;
    defaults.email = "minishcontact@riseup.net";
  };

  services.nginx = {
    enable = true;
    package = pkgs.nginxQuic;

    recommendedZstdSettings = true;
    recommendedGzipSettings = true;
    recommendedBrotliSettings = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;

    # proxy_http_version is already set to 1.1 by recommendedProxySettings
    appendHttpConfig = ''
      proxy_request_buffering off;
    '';

    clientMaxBodySize = "0";
  };
  networking.firewall.allowedTCPPorts = [22 80 443]; # exposed by nginx
  networking.firewall.allowedUDPPorts = [443];
}