{
  me,
  config,
  pkgs,
  lib,
  util,
  ...
}:

let
  inherit (lib) mergeAttrsList;
  inherit (config.age) secrets;

  rnrdUrl = if me.is.renard then "rnrd.eu" else "${me.name}.rnrd.eu";

  base-index = pkgs.substituteAll {
    src = ../../assets/base.html;
    env.me = util.titleCase me.name;
  };

  base = pkgs.linkFarm "www-base" {
    "index.html" = base-index;
    "favicon.png" = ../../assets/favicon.png;
  };

  certificate = domain: {
    ${domain} = {
      domain = "*.${domain}";
      extraDomainNames = [ domain ];

      dnsProvider = "cloudflare";
      credentialFiles = {
        CLOUDFLARE_DNS_API_TOKEN_FILE = secrets.cloudflare-dns.path;
      };
    };
  };
in
{
  imports = [ ./tailnet.nix ];

  age.secrets = {
    cloudflare-dns.file = ../../secrets/cloudflare-dns.age;
  };

  security.acme = {
    acceptTerms = true;
    # causes issues with tailscale certificates
    preliminarySelfsigned = false;
    defaults = {
      email = "mel@rnrd.eu";
      # our certificates are really only used with Nginx
      group = config.services.nginx.group;
      reloadServices = [ "nginx.service" ];
    };

    certs = mergeAttrsList [
      (certificate "rnrd.eu")
      (certificate "rnrd.fyi")
    ];
  };

  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    statusPage = true;

    commonHttpConfig = ''
      log_format json_combined escape=json '{'
      	'"time_local":"$time_local",'
      	'"remote_addr":"$remote_addr",'
      	'"remote_user":"$remote_user",'
      	'"request":"$request",'
      	'"status": "$status",'
      	'"body_bytes_sent":"$body_bytes_sent",'
      	'"request_length":"$request_length",'
      	'"request_time":"$request_time",'
      	'"http_referrer":"$http_referer",'
      	'"http_user_agent":"$http_user_agent",'
      	'"upstream_response_time":"$upstream_response_time",'
      	'"upstream_addr":"$upstream_addr",'
      	'"upstream_status":"$upstream_status"'
      '}';
      access_log /var/log/nginx/access.log json_combined;
      error_log /var/log/nginx/error.log warn;
    '';

    virtualHosts = {
      base = {
        default = true;
        serverName = rnrdUrl;
        forceSSL = true;
        useACMEHost = "rnrd.eu";

        root = base;
        extraConfig = ''
          access_log /var/log/nginx/base.access.log json_combined;
        '';
      };
    };
  };
}