{
  var,
  config,
  secrets,
  ...
}:
{
  services = {
    nginx = {
      # recommendedTlsSettings = true;
      # recommendedProxySettings = true;
      # recommendedOptimisation = true;

      enable = true;
      virtualHosts.default = {
        serverName = "_";
        default = true;
        rejectSSL = true;
        locations."/".return = "444";
      };
      privateVirtualHosts."roam.lan" = {
        locations."/" = { };
      };
      virtualHosts."roam.hdohmen.de" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = { };
      };
    };

    openssh = {
      enable = true;
      settings.PasswordAuthentication = false;
    };
  };

  networking.firewall = {
    enable = true;
    allowedTCPPorts = [
      80
      443
    ];
  };
}