{
  lib,
  config,
  ...
}: let
  mkRedirect = _: value: {
    forceSSL = true;
    enableACME = true;
    locations."/".return = "301 ${value}";
  };

  redirects = builtins.mapAttrs mkRedirect cfg.redirects;

  cfg = config.vhack.nginx;
in {
  options.vhack.nginx = {
    enable = lib.mkEnableOption ''
      a default nginx config.
    '';

    selfsign = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to selfsign the acme certificates. This should only
        really be useful for tests.
      '';
    };

    redirects = lib.mkOption {
      type = lib.types.attrsOf lib.types.str;
      default = {};
      description = ''
        An attrset of redirects to add.
        The keys are the domain that should than be redirected to the url specified as
        value.
      '';
    };
  };

  config = lib.mkIf cfg.enable {
    vhack.persist.directories = [
      "/var/lib/acme"
    ];

    users = {
      users.acme.uid = config.vhack.constants.ids.uids.acme;
      groups.acme.gid = config.vhack.constants.ids.gids.acme;
    };

    security.acme = {
      acceptTerms = true;
      defaults = {
        email = "admin@vhack.eu";
        webroot = "/var/lib/acme/acme-challenge";

        # Avoid spamming the acme server, if we run in a test, and only really want self-signed
        # certificates
        server = lib.mkIf cfg.selfsign "https://127.0.0.1";
      };
    };

    networking.firewall = {
      allowedTCPPorts = [80 443];
    };
    services.nginx = {
      enable = true;
      virtualHosts = redirects;

      # FIXME(@bpeetz): Migrate to a host. <2024-12-25>
      #  {
      #    "gallery.s-schoeffel.de" = {
      #      forceSSL = true;
      #      enableACME = true;
      #      root = "/srv/gallery.s-schoeffel.de";
      #    };
      #  }
    };
  };
}