{pkgs, ...}: {
  services.nginx = {
    enable = true;
    # NOTE: in wake of CVE-2022-3602/CVE-2022-3786 nginxStable is overlayed
    package = pkgs.nginx;

    # recommendedGzipSettings = true;
    # recommendedOptimisation = true;
    # recommendedProxySettings = true;
    # recommendedTlsSettings = true;

    # streamConfig = ''
    #   server {
    #     listen 127.0.0.1:53 udp reuseport;
    #     proxy_timeout 20s;
    #     proxy_pass 192.168.0.1:53535;
    #   }
    # '';

    virtualHosts = let
      localhost = "http://127.0.0.1";
      std = {
        # TODO: should I run over QUIC+HTTP3? (experimental)
        # quic = true;
        # http3 = true;
        enableACME = true;
        # kTLS = true; # offload TLS to the linux kernel
      };
    in {
      "dobutterfliescry.net" =
        {
          default = true;
          addSSL = true; # addSSL NOT forceSSL <3
          root = "${pkgs.dobutterfliescry-net}/www";
          # extraConfig = ''
          #   error_page 404 /custom_404.html;
          # '';
        }
        // std;
      "vault.imbored.dev" =
        {
          forceSSL = true;
          locations."/".proxyPass = "${localhost}:8222";
        }
        // std;
      "tearforge.net" =
        {
          forceSSL = true;
          extraConfig = ''
            client_max_body_size 512M;
          '';
          locations."/".proxyPass = "${localhost}:3000";
        }
        // std;
    };
  };
}