{ pkgs, lib, ... }: {
  environment.systemPackages = with pkgs; [
    certbot
  ];

  systemd.services.certbot-renew = {
    description = "certbot auto renew service";
    serviceConfig = {
      ExecStart = "${pkgs.certbot}/bin/certbot renew --quiet --post-hook 'systemctl reload nginx.service'";
    };
  };
  systemd.timers.certbot-renew = {
    description = "certbot auto renew timer";
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnCalendar = "daily";
      Persistent = true;
    };
  };

  services.nginx = {
    enable = true;
    user = "root";
    enableReload = true;

    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
  };
  services.nginx.appendHttpConfig = "include /srv/ngx/out/*.conf;";

  services.nginx.appendConfig = "user root;"; 
  
  systemd.services.nginx.serviceConfig = lib.mkForce {
    User = "root";
    Group = "root";
    ExecStart = "${pkgs.nginx}/bin/nginx -c /etc/nginx/nginx.conf";
    ExecReload = [
      "${pkgs.nginx}/bin/nginx -c /etc/nginx/nginx.conf -t"
      "${pkgs.coreutils}/bin/kill -HUP $MAINPID"
    ];
    LogsDirectory = "nginx";
    RuntimeDirectory = "nginx";
  };
}