{
  lib,
  config,
  ...
}: let
  importedRedirects = import ./redirects.nix {};
  mkRedirect = {
    key,
    value,
  }: {
    name = key;
    value = {
      forceSSL = true;
      enableACME = true;
      locations."/".return = "301 ${value}";
    };
  };

  redirects = builtins.listToAttrs (builtins.map mkRedirect importedRedirects);

  cfg = config.vhack.nginx;
in {
  options.vhack.nginx = {
    enable = lib.mkEnableOption ''
      a default nginx config.
    '';

    selfsign = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to selfsign the acme certificates. This should only
        really be useful for tests.
      '';
    };
  };

  config = lib.mkIf cfg.enable {
    security.acme = {
      acceptTerms = true;
      defaults = {
        email = "admin@vhack.eu";
        webroot = "/var/lib/acme/acme-challenge";

        # Avoid spamming the acme server, if we run in a test, and only really want self-signed
        # certificates
        server = lib.mkIf cfg.selfsign "https://127.0.0.1";
      };
    };

    networking.firewall = {
      allowedTCPPorts = [80 443];
    };
    services.nginx = {
      enable = true;
      # The merge here is fine, as no domain should be specified twice
      virtualHosts =
        {
          "gallery.s-schoeffel.de" = {
            forceSSL = true;
            enableACME = true;
            root = "/srv/gallery.s-schoeffel.de";
          };
        }
        // redirects;
    };
  };
}