{ pkgs, ... }:
{
  security.acme.certs."cdn.rz.ens.wtf" = {
    dnsProvider = "acme-dns";
    credentialsFile = pkgs.writeText "acme-dns-env" ''
      ACME_DNS_API_BASE=https://acme.rz.ens.wtf
      ACME_DNS_STORAGE_PATH=/var/lib/acme/lego-acme-dns-accounts.json
    '';
    extraDomainNames = [ "*.cdn.rz.ens.wtf" ];
    group = "nginx";
  };
  services.nginx.virtualHosts."s3.rz.ens.wtf" = {
    enableACME = true;
    forceSSL = true;
    locations."/".proxyPass = "http://[::1]:3900";
  };
  services.nginx.virtualHosts."cdn.rz.ens.wtf" = {
    serverAliases = [ "*.cdn.rz.ens.wtf" ];
    useACMEHost = "cdn.rz.ens.wtf";
    forceSSL = true;
    locations."/".proxyPass = "http://[::1]:3902";
  };
  services.garage = {
    enable = true;
    settings = {
      replication_mode = "none";
      compression_level = 7;

      rpc_bind_addr = "10.1.1.21:3901";
      rpc_public_addr = "10.1.1.21:3901";
      rpc_secret = "76c2746530a4a27d188530a6bbf6c4613ccb8d8f129863d8c21462b84d5b998f";

      s3_api = {
        s3_region = "ens";
        api_bind_addr = "[::]:3900";
        root_domain = ".s3.rz.ens.wtf";
      };

      s3_web = {
        bind_addr = "[::]:3902";
        root_domain = ".cdn.rz.ens.wtf";
        index = "index.html";
      };
    };
  };
}