{ config, ... }:
{
  config = {
    services.nginx.virtualHosts."online.yggdrasil.li" = {
      forceSSL = true;
      kTLS = true;
      http3 = true;
      sslCertificate = "/run/credentials/nginx.service/online.yggdrasil.li.pem";
      sslCertificateKey = "/run/credentials/nginx.service/online.yggdrasil.li.key.pem";
      sslTrustedCertificate = "/run/credentials/nginx.service/online.yggdrasil.li.chain.pem";

      locations."/".extraConfig = ''
        add_header X-NetworkManager-Status online;
        add_header Cache-Control "max-age=0, must-revalidate";
        return 204;
      '';
    };
    security.acme.rfc2136Domains."online.yggdrasil.li" = {
      restartUnits = ["nginx.service"];
    };
    systemd.services.nginx.serviceConfig = {
      LoadCredential = [
        "online.yggdrasil.li.key.pem:${config.security.acme.certs."online.yggdrasil.li".directory}/key.pem"
        "online.yggdrasil.li.pem:${config.security.acme.certs."online.yggdrasil.li".directory}/fullchain.pem"
        "online.yggdrasil.li.chain.pem:${config.security.acme.certs."online.yggdrasil.li".directory}/chain.pem"
      ];
    };
  };
}