{ pkgs, ... }: { services.nginx = { enable = true; enableReload = true; package = pkgs.nginxMainline; recommendedBrotliSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; recommendedZstdSettings = true; }; users.users.nginx.extraGroups = [ "acme" ]; networking.firewall.allowedTCPPorts = [ 80 443 ]; security.acme.acceptTerms = true; security.acme.defaults = { dnsProvider = "hetzner"; dnsResolver = "hydrogen.ns.hetzner.com:53"; reloadServices = [ "nginx" ]; environmentFile = "/var/secrets/hetzner-acme"; }; systemd.services.nginx = { after = [ "network-online.target" ]; wants = [ "network-online.target" ]; }; }