{ pkgs, config, ... }:
{
  # These ports need to be open for acme
  networking.firewall.allowedTCPPorts = [
    80
    443
    25565
  ];

  services.nginx = {
    enable = true;

    recommendedProxySettings = true;
    recommendedTlsSettings = true;
  };

  age.secrets.acme = {
    file = ../../secrets/acme.age;
    owner = "acme";
    group = "acme";
  };

  security.acme = {
    acceptTerms = true;

    defaults = {
      group = config.services.nginx.group;

      dnsProvider = "cloudflare";

      email = "dezuttereluka@gmail.com";

      credentialFiles = {
        "CLOUDFLARE_DNS_API_TOKEN_FILE" = config.age.secrets.acme.path;
      };
    };

    certs = {
      "katkak.dev" = {
        extraDomainNames = [ "*.katkak.dev" ];
      };
    };
  };
}