{
  config,
  lib,
  pkgs,
  this,
  ...
}:
with lib;
let
  cfg = config.nixfiles.modules.nginx;
in
{
  options.nixfiles.modules.nginx = {
    enable = mkEnableOption "Nginx";

    upstreams = mkOption {
      description = "Defines a group of servers to use as proxy target.";
      type = with types; anything;
      default = null;
    };

    virtualHosts = mkOption {
      description = "Attrset of virtual hosts.";
      type = with types; anything;
      default = null;
    };
  };

  config = mkIf cfg.enable {
    _module.args.libNginx.config = {
      internalOnly = ''
        add_header X-Robots-Tag "noindex, nofollow, noarchive, nosnippet";
        access_log off;
        if ($internal != 1) {
          return 403;
        }
      '';
      appendHead = text: ''
        brotli off;
        gzip off;
        zstd off;
        sub_filter '</head>' '${lib.concatStrings text}</head>';
        sub_filter_once on;
      '';
      noProxyBuffering = ''
        proxy_buffering off;
        proxy_cache off;
      '';
    };

    services = {
      nginx = {
        enable = true;

        enableReload = true;

        package = pkgs.nginxMainline;

        statusPage = mkDefault true;

        recommendedOptimisation = mkDefault true;
        recommendedProxySettings = mkDefault true;
        recommendedTlsSettings = mkDefault true;

        recommendedBrotliSettings = mkDefault true;
        recommendedGzipSettings = mkDefault true;
        recommendedZstdSettings = mkDefault true;

        resolver.addresses =
          let
            isIPv6 = addr: builtins.match ".*:.*:.*" addr != null;
            escapeIPv6 = addr: if isIPv6 addr then "[${addr}]" else addr;
            resolvers =
              if config.networking.nameservers != [ ] then
                config.networking.nameservers
              else
                dns.const.quad9.default;
          in
          map escapeIPv6 resolvers;

        commonHttpConfig = concatStrings [
          ''
            access_log syslog:server=unix:/dev/log;
          ''
          (optionalString (hasAttr "wireguard" this) (
            with config.nixfiles.modules.wireguard;
            ''
              geo $internal {
                default 0;
                127.0.0.1/32 1;
                ::1/128 1;
                ${ipv4.subnet} 1;
                ${ipv6.subnet} 1;
              }
            ''
          ))
        ];

        inherit (cfg) upstreams;

        virtualHosts =
          {
            default = {
              default = true;
              rejectSSL = true;
              locations."/".return = "444";
            };
          }
          // (mkIf (cfg.virtualHosts != null) (
            mapAttrs (
              _: attr:
              mkMerge [
                attr
                (mkIf config.nixfiles.modules.acme.enable {
                  enableACME = mkDefault true;
                  forceSSL = mkDefault true;
                })
              ]
            ) cfg.virtualHosts
          ));

        sslDhparam = config.security.dhparams.params.nginx.path;
      };

      fail2ban.jails = {
        nginx-http-auth.enabled = true;
        nginx-botsearch.enabled = true;
      };

      prometheus.exporters.nginx = {
        enable = true;
        listenAddress = mkDefault this.wireguard.ipv4.address;
        port = mkDefault 9113;
      };
    };

    security.dhparams = {
      enable = true;
      params.nginx = { };
    };

    networking.firewall.allowedTCPPorts = [
      80
      443
    ];
  };
}