{ config, lib, pkgs, ... }:
let
  # WARNING: this ends up world-readable in the Nix store if you inline it.
  cloudflareEnv = pkgs.writeText "cloudflare-acme.env" ''
    umnyPSYOr9U3m404_IBMl4PTOzg29nz_XzNEGw2v
  '';
in
{
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
  };

  security.acme = {
    acceptTerms = true;

    # These defaults are inherited by security.acme.certs.* unless overridden. :contentReference[oaicite:0]{index=0}
    defaults = {
      email = "admin@symbiotrip.com";
      dnsProvider = "cloudflare";            # :contentReference[oaicite:1]{index=1}
      environmentFile = cloudflareEnv;       # :contentReference[oaicite:2]{index=2}
    };
  };
}