{
  inputs,
  pkgs,
  ...
}: {
  nixpkgs.overlays = [
    (self: super: {
      # in wake of CVE-2022-3602/CVE-2022-3786
      nginxStable = super.nginxStable.override {openssl = pkgs.libressl;};
    })
    inputs.dobutterfliescry-net.overlays.default
  ];

  # simple nginx instance to host static construction page
  # TODO: I want sshd and forgejo's ssh server to both be bound to port 22
  #       So change sshd to listen on a different address/port (ie 2222 or 127.0.0.3:22, etc)
  #       and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address)
  services.nginx = {
    enable = true;
    # XXX: TODO: this should auto use the nginxStable overlay no?
    # in wake of CVE-2022-3602/CVE-2022-3786
    # package = pkgs.nginxStable.override {openssl = pkgs.libressl;};

    recommendedGzipSettings = true;
    recommendedZstdSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    # streamConfig = ''
    #   server {
    #     listen 127.0.0.1:53 udp reuseport;
    #     proxy_timeout 20s;
    #     proxy_pass 192.168.0.1:53535;
    #   }
    # '';

    virtualHosts = let
      localhost = "http://127.0.0.1";
      std = {
        # TODO: should I run over QUIC+HTTP3? (experimental)
        # quic = true;
        # http3 = true;
        enableACME = true;
        # kTLS = true; # offload TLS to the linux kernel
      };
      website =
        {
          default = true;
          addSSL = true; # not strictly enforced <3
          root = "/var/www/imbored";
          # extraConfig = ''
          #   error_page 404 /custom_404.html;
          # '';
        }
        // std;

      vault =
        {
          forceSSL = true;
          locations."/".proxyPass = "${localhost}:8222";
        }
        // std;
      forge =
        {
          forceSSL = true;
          extraConfig = ''
            client_max_body_size 512M;
          '';
          locations."/".proxyPass = "${localhost}:3000";
        }
        // std;
    in {
      # XXX: TODO: imbored.dev and dobutterfliescry.net can't
      # XXX: TODO: be active at the same time??? why??
      # "imbored.dev" =
      #   {
      #     default = true;
      #     addSSL = true; # not strictly enforced <3
      #     root = "/var/www/imbored";
      #     # extraConfig = ''
      #     #   error_page 404 /custom_404.html;
      #     # '';
      #   }
      #   // std;
      "dobutterfliescry.net" =
        {
          default = true;
          addSSL = true; # not strictly enforced <3
          # root = "/var/www/cry";
          root = "${pkgs.dobutterfliescry-net}/www";
          # extraConfig = ''
          #   error_page 404 /custom_404.html;
          # '';
        }
        // std;
      # Route "vault" subdomain to vaultwarden
      "vault.imbored.dev" = vault;
      # Route "forge" subdomain to forgejo
      # TODO: use `forgejo.settings.server.ENABLE_ACME` instead?
      "forge.imbored.dev" = forge;
      # "forge.dobutterfliescry.net" = forge;
    };
  };
}