{ ... }:
{
  networking.firewall.allowedTCPPorts = [ 443 ];

  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;

    virtualHosts = {
      "jras.nl" = {
        onlySSL = true;
        kTLS = true;
        enableACME = true;
        root = "/persist/srv/www/jras.nl";
      };
    };
  };

  security.acme.defaults.email = "jaspert.ras@gmail.com";
  security.acme.acceptTerms = true;

  systemd.tmpfiles.rules = [
    "L /var/lib/acme - - - - /persist/var/lib/acme"
  ];
}