{ depot, ... }:

let
  inherit (depot.lib.meta) adminEmail;
in {
  security.acme.defaults.email = adminEmail;
  security.acme.acceptTerms = true;
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    proxyResolveWhileRunning = true;
    resolver = {
      addresses = [ "127.0.0.1" ];
      valid = "30s";
    };
    appendHttpConfig = ''
      server_names_hash_bucket_size 128;
      proxy_headers_hash_max_size 4096;
      proxy_headers_hash_bucket_size 128;
      log_format fmt_loki 'host=$host remote_addr=$remote_addr remote_user=$remote_user request="$request" status=$status body_bytes_sent=$body_bytes_sent http_referer="$http_referer" http_user_agent="$http_user_agent"';
      access_log syslog:server=unix:/dev/log,tag=nginx_access,nohostname fmt_loki;
    '';
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  systemd.services.nginx.after = [ "network-online.target" ];
}