{ ... }: {
  networking = {
    firewall.allowedTCPPorts = [
      # nginx
      80
      443
    ];
  };

  security.acme = {
    defaults.email = "acme@fcuny.net";
    acceptTerms = true;
  };

  services.nginx = {
    enable = true;

    recommendedProxySettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedTlsSettings = true;

    virtualHosts = {
      "fcuny.net" = {
        forceSSL = true;
        enableACME = true;
        locations = {
          "/" = {
            root = "/srv/www/fcuny.net";
          };
          "/.well-known/acme-challenge" = {
            root = "/var/lib/acme/acme-challenges";
          };
        };
      };
    };
  };
}