{
  lib,
  pkgs,
  ...
}:
with lib; {
  users.groups.syncthingnginx.members = ["acme" "syncthing" "nginx"];
  security.acme.certs."cloud.posixlycorrect.com".group = "syncthingnginx";

  networking.firewall.allowedTCPPorts = [22000];
  networking.firewall.allowedUDPPorts = [22000 21027];

  services = {
    nginx = {
      virtualHosts."cloud.posixlycorrect.com" = {
        enableACME = true;
        forceSSL = true;
        extraConfig = ''
          proxy_headers_hash_max_size 512;
          proxy_headers_hash_bucket_size 128;
        '';
        locations."/" = {
          proxyPass = "http://127.0.0.1:8384";
        };
      };
    };

    syncthing = {
      enable = true;
      systemService = true;
      overrideFolders = false;
      overrideDevices = false;
      openDefaultPorts = false;
      key = "/var/lib/acme/cloud.posixlycorrect.com/key.pem";
      cert = "/var/lib/acme/cloud.posixlycorrect.com/cert.pem";
      guiAddress = "127.0.0.1:8384";
      settings = {
        options = {
          urAccepted = -1;
        };
      };
    };
  };
}