{ inputs, ... }:
{
  flake.nixngConfigurations.ingressBlowhole = inputs.nixng.nglib.makeSystem {
    system = "x86_64-linux";
    name = "ingress-blowhole";
    inherit (inputs) nixpkgs;

    config =
      { pkgs, lib, ... }:
      let
        inherit (lib)
          singleton;
      in
        {
          dumb-init = {
            enable = true;
            sigell.entries = [
              {
                signal = "HUP";
                action = {
                  type = "exec";
                  environment = {
                    PATH = "${pkgs.bash}/bin:${pkgs.busybox}/bin";
                  };
                  command =
                    [ "bash"
                      "-c"
                      "kill -s HUP \"$(cat /nginx.pid)\""
                    ];
                };
              }
              {
                signal = "TERM";
                action = {
                  type = "signal";
                  rewrite = "TERM";
                  selector = {
                    type = "child";
                  };
                };
              }
            ];
            type.services = {};
          };
          init.services.nginx.shutdownOnExit = true;


          services.nginx = {
            enable = true;
            envsubst = true;
            configuration = singleton {
              daemon = "off";
              worker_processes = 2;
              user = "nginx";

              events."" = {
                use = "epoll";
                worker_connections = 128;
              };

              error_log = [ "/dev/stderr" "warn" ];

              pid = "/nginx.pid";

              stream."" = {
                include = singleton [ "/local/streams.conf" ];
              };

              http."" = {
                server_tokens = "off";
                include = [
                  [ "${pkgs.nginx}/conf/mime.types" ]
                  [ "/local/upstreams.conf" ]
                ];
                charset = "utf-8";
                access_log = [ "/dev/stdout" "combined" ];

                server."" = {
                  listen = [ "80" "default_server" ];
                  server_name = singleton "blowhole.in.redalder.org";

                  location."/" = {
                    return = [ "301" "https://$$host$$request_uri" ];
                  };
                };
              };
            };
          };
        };
  };
}