{ pkgs, inputs', lib, config, ... }:
let
  inherit (lib)
    singleton;
in
{
  users.users.nginx = {
    group = "nginx";
    isSystemUser = true;
    uid = config.ids.uids.nginx;
  };

  users.groups.nginx = {
    gid = config.ids.gids.nginx;
  };

  systemd.services.nginx-proxy =
    let
      nginxConfiguration = inputs'.nixng.nglib.generators.toNginx {
        daemon = "off";
        worker_processes = 2;

        events."" = {
          use = "epoll";
          worker_connections = 128;
        };

        error_log = "/var/log/nginx/error.log warn";

        http."" = {
          server_tokens = "off";
          include = singleton [ "${pkgs.nginx}/conf/mime.types" ];
          charset = "utf-8";

          access_log = "/var/log/nginx/access.log combined";

          server."" = {
            listen = [ "8883" ];

            location."/" = {
              satisfy = "all";

              allow = [ [ "10.64.2.1" ] [ "127.0.0.1" ] ];
              deny = "all";

              rewrite_by_lua_file

              auth_basic = "\"Administrator’s Area\"";
              auth_basic_user_file = "/var/secret/htpasswd";

              resolver = "8.8.8.8";
              proxy_pass = "http://$http_host$uri$is_args$args";

            };
          };
        };
      };
    in
      {
        serviceConfig = {
          Restart = "always";
          RestartSec = "10s";
          # User and group
          User = "nginx";
          Group = "nginx";
          # Runtime directory and mode
          RuntimeDirectory = "nginx";
          RuntimeDirectoryMode = "0750";
          # Cache directory and mode
          CacheDirectory = "nginx";
          CacheDirectoryMode = "0750";
          # Logs directory and mode
          LogsDirectory = "nginx";
          LogsDirectoryMode = "0750";
          # Proc filesystem
          ProcSubset = "pid";
          ProtectProc = "invisible";
          # New file permissions
          UMask = "0027"; # 0640 / 0750
          # Capabilities
          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
          CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
          # Security
          NoNewPrivileges = true;
          # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
          ProtectSystem = "strict";
          ProtectHome = true;
          PrivateTmp = true;
          PrivateDevices = true;
          ProtectHostname = true;
          ProtectClock = true;
          ProtectKernelTunables = true;
          ProtectKernelModules = true;
          ProtectKernelLogs = true;
          ProtectControlGroups = true;
          RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
          RestrictNamespaces = true;
          LockPersonality = true;
          MemoryDenyWriteExecute = false;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          RemoveIPC = true;
          PrivateMounts = true;
          # System Call Filtering
          SystemCallArchitectures = "native";
          SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ];
        };
        script = ''
          ls /proc/self/fd /dev
          ${pkgs.openresty}/bin/nginx -c ${pkgs.writeText "nginx.cfg" nginxConfiguration}
        '';
    };
}