{ config, lib, ... }:
let
  cfg = config.custom.nginxHttpsServer;
in
{
  options = {
    custom.nginxHttpsServer.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
    };

    services.nginx.virtualHosts = lib.mkOption {
      type = lib.types.attrsOf (
        lib.types.submodule {
          config = lib.mkIf cfg.enable (
            lib.mkDefault {
              forceSSL = true;
              kTLS = true;
            }
          );
        }
      );
    };
  };

  config = lib.mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = [ 443 ];

    services.nginx = {
      enable = true;
      recommendedOptimisation = true;
      recommendedTlsSettings = true;
      recommendedProxySettings = true;
    };
  };
}