{configVars, ...}: let
  email = configVars.email.user;
  xmppDomain = configVars.domains.xmpp;
  xmppIp = configVars.networking.addresses.xmpp.localAddress;
  xmppPort = configVars.networking.addresses.xmpp.ports.xmpp-c2s;
in {
  networking.firewall.allowedTCPPorts = [80 443];
  users.groups.www-data = {
    gid = 33;
  };

  users.users.nginx = {
    isSystemUser = true;
    uid = 60;
    extraGroups = ["www-data"];
  };

  systemd.tmpfiles.rules = [
    "d /var/www/${xmppDomain} 0777 root root"
  ];

  services.httpd.virtualHosts."root" = {
    hostName = "${xmppDomain}";
    documentRoot = "/var/www/${xmppDomain}";
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = email;
    certs = {
      "${xmppDomain}" = {
        webroot = "/var/www/${xmppDomain}";
        email = email;
        extraDomainNames = [
          "chat.${xmppDomain}"
        ];
        group = "www-data";
      };
    };
  };

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts."chat.${xmppDomain}" = {
      # enableACME = true;
      forceSSL = true;
      extraConfig = ''
        client_max_body_size 10G;
      '';
      sslCertificate = "/var/lib/acme/${xmppDomain}/fullchain.pem";
      sslCertificateKey = "/var/lib/acme/${xmppDomain}/key.pem";
      locations = {
        "/" = {
          proxyPass = "http://${xmppIp}:${toString xmppPort}";
          extraConfig = ''
            proxy_set_header Host "${xmppDomain}";
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_buffering off;
            tcp_nodelay on;
          '';
        };
        "/xmpp-websocket" = {
          proxyPass = "http://${xmppIp}:${toString xmppPort}/xmpp-websocket";
          extraConfig = ''
            proxy_http_version 1.1;
            proxy_set_header Connection "Upgrade";
            proxy_set_header Upgrade $http_upgrade;

            proxy_set_header Host "${xmppDomain}";
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_read_timeout 900s;
          '';
        };
        "/upload/" = {
          extraConfig = ''
            proxy_buffering off;
            proxy_set_header Host $host;
                  # pass PUT requests to mod_http_upload for processing
            if ($request_method = PUT) {
              proxy_pass http://${xmppIp}:${toString xmppPort};
            }
            alias /var/lib/prosody/http_upload;  # storage path of mod_http_upload. NGINX will serve these files to the clients.
          '';
        };
      };
    };
  };
}