{ ... }:
{
  services.nginx = {
    enable = true;

    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    # # Only allow PFS-enabled ciphers with AES256
    # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

    virtualHosts = {
      "home.beta.rz.ens.wtf" = {
        serverAliases = [ "beta.rz.ens.wtf" ];
        forceSSL = true;
        enableACME = true;
        root = "/var/public-cof/home";
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];
}