{ config, lib, ... }: {
  options.snowflake.services.nginx = {
    enable = lib.mkEnableOption "enable nginx";
    acmeEmail = lib.mkOption {
      type = lib.types.str;
      description = "email address ACME for nginx";
    };
    clientMaxBodySize = lib.mkOption {
      type = lib.types.str;
      default = "10m";
    };
  };

  config = lib.mkIf config.snowflake.services.nginx.enable {
    security.acme.defaults.email = config.snowflake.services.nginx.acmeEmail;
    security.acme.acceptTerms = true;

    security.dhparams = {
      enable = true;
      params.nginx = { };
    };
    services.nginx = {
      enable = true;
      clientMaxBodySize = config.snowflake.services.nginx.clientMaxBodySize;
      recommendedProxySettings = true;
      recommendedOptimisation = true;
      recommendedGzipSettings = true;
      recommendedTlsSettings = true;
      sslDhparam = config.security.dhparams.params.nginx.path;

      # Disable default_server access and return HTTP 444.
      appendHttpConfig = ''
        server {
          listen 80 default_server;
          listen 443 ssl default_server;

          ssl_reject_handshake on;
          return 444;
        }
      '';
    };
  };
}