{ pkgs, lib, config, ... }:
{
  services.nginx = {
    enable = true;

    # For monitoring scraping. If we don't set a default port, it will
    # by default use port 80, which will conflict with the
    # configuration of the router, since we need to listen on port 80
    # too for streaming.
    statusPage = true;
    defaultHTTPListenPort = 8008;

    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedTlsSettings = true;
    recommendedProxySettings = true;
  };

  services.prometheus.exporters.nginx = {
    enable = true;
    scrapeUri = "http://127.0.0.1:${toString config.services.nginx.defaultHTTPListenPort}/nginx_status";
    listenAddress = "127.0.0.1";
    port = 9113;
  };

  # Nginx needs to be able to read the certificates
  users.users.nginx.extraGroups = [ "acme" ];

  networking.firewall.allowedTCPPorts = [ 80 443 ];
}