{lib, ...}: let
  domains = import ./hosts.nix {};
  importedRedirects = import ./redirects.nix {};
  mkRedirect = {
    key,
    value,
  }: {
    name = key;
    value = {
      forceSSL = true;
      enableACME = true;
      locations."/".return = "301 ${value}";
    };
  };
  mkVirtHost = {
    domain,
    root ? "",
    url,
    extraSettings ? {},
  }: {
    name = "${domain}";
    value =
      lib.recursiveUpdate {
        forceSSL = true;
        enableACME = true;
        root = "/etc/nginx/websites/${domain}/${root}";
      }
      extraSettings;
  };

  mkNixSyncRepository = {
    domain,
    root ? "",
    url,
    extraSettings ? {},
  }: {
    name = "${domain}";
    value = {
      path = "/etc/nginx/websites/${domain}/${root}";
      uri = "${url}";
      inherit extraSettings;
    };
  };

  virtHosts = builtins.listToAttrs (builtins.map mkVirtHost domains);
  nixSyncRepositories = builtins.listToAttrs (builtins.map mkNixSyncRepository domains);
  redirects = builtins.listToAttrs (builtins.map mkRedirect importedRedirects);
in {
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "admin@vhack.eu";
      webroot = "/var/lib/acme/acme-challenge";
    };
  };

  networking.firewall = {
    allowedTCPPorts = [80 443];
  };
  services.nginx = {
    enable = true;
    # The merge here is fine, as no domain should be specified twice
    virtualHosts = virtHosts // redirects;
  };

  services.nix-sync = {
    enable = true;
    repositories = nixSyncRepositories;
  };
}