{ ... }:
{
	services.nginx = {
		enable = true;

		# Use recommended settings
		recommendedGzipSettings = true;
		recommendedOptimisation = true;
		recommendedProxySettings = true;
		recommendedTlsSettings = true;

		# Only allow PFS-enabled ciphers with AES256
		sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

		commonHttpConfig = ''
			# Add HSTS header with preloading to HTTPS requests.
			# Adding this header to HTTP requests is discouraged
			map $scheme $hsts_header {
				https   "max-age=31536000; includeSubdomains; preload";
			}
			add_header Strict-Transport-Security $hsts_header;

			# Enable CSP for your services.
			#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

			# Minimize information leaked to other domains
			add_header 'Referrer-Policy' 'same-origin';

			# Disable embedding as a frame
			add_header X-Frame-Options DENY;

			# Prevent injection of code in other mime types (XSS Attacks)
			add_header X-Content-Type-Options nosniff;

			# Enable XSS protection of the browser.
			# May be unnecessary when CSP is configured properly (see above)
			add_header X-XSS-Protection "1; mode=block";

			# This might create errors
			proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
		'';
	};
}