{ ... }:
{
  networking.firewall.allowedTCPPorts = [ 443 ];

  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;

    virtualHosts = {
      "jras.nl" = {
        onlySSL = true;
        kTLS = true;
        enableACME = true;
        root = "/srv/www/jras.nl";
      };
    };
  };

  security.acme.defaults.email = "jaspert.ras@gmail.com";
  security.acme.acceptTerms = true;
}