{ ... }: {
  # container for excalidraw
  virtualisation.oci-containers.containers.excalidraw = {
    autoStart = true;
    image = "excalidraw/excalidraw:latest";
    environment = { TZ = "America/Los_Angeles"; };
    ports = [ "127.0.0.1:3030:80" ];
    extraOptions = [ "--pull=always" ];
  };

  security.acme = {
    defaults.email = "acme@fcuny.net";
    acceptTerms = true;
  };

  services.nginx = {
    enable = true;

    recommendedProxySettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedTlsSettings = true;

    virtualHosts = {
      "test.fcuny.net" = {
        # make it the default site: if a request goes through nginx
        # without a host header, this will be the default site we serve
        # for that request.
        default = true;
        forceSSL = true;
        enableACME = true;
        locations = {
          "/" = { root = "/srv/www/fcuny.net"; };
          "/.well-known/acme-challenge" = {
            root = "/var/lib/acme/acme-challenges";
          };
        };
      };
      "git.fcuny.net" = {
        forceSSL = true;
        enableACME = true;
        locations = {
          "/.well-known/acme-challenge" = {
            root = "/var/lib/acme/acme-challenges";
          };
        };
      };
      "draw.fcuny.net" = {
        forceSSL = true;
        enableACME = true;
        locations = {
          "/".proxyPass = "http://127.0.0.1:3030";
          "/.well-known/acme-challenge" = {
            root = "/var/lib/acme/acme-challenges";
          };
        };
      };
    };
  };
}