{
  config,
  pkgs,
  ...
}: {
  services.nginx = {
    enable = true;
    appendHttpConfig = ''
      limit_req_zone $binary_remote_addr zone=blog:10m rate=10r/s;
    '';
    virtualHosts."spandrell.ch" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8080";
        proxyWebsockets = true; # needed if you need to use WebSocket
        extraConfig = ''
          limit_req zone=blog burst=20 nodelay;
          proxy_set_header Host $Host;
          proxy_set_header Forwarded for=$remote_addr;
        '';
      };
    };
    virtualHosts."u.spandrell.ch" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8081";
        proxyWebsockets = true; # needed if you need to use WebSocket
        extraConfig = ''
          limit_req zone=blog burst=20 nodelay;
          proxy_set_header Host $Host;
          proxy_set_header Forwarded for=$remote_addr;
        '';
      };
    };
    virtualHosts."s3.spandrell.ch" = {
      extraConfig = ''
        client_max_body_size 128M;
      '';
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:9000";
        proxyWebsockets = true; # needed if you need to use WebSocket
        extraConfig = ''
          proxy_set_header Host $Host;
        '';
      };
    };
  };
}