{...}: {
  services.openssh = {
    enable = true;
    ports = [2291];
    authorizedKeysFiles = ["%h/.local/ssh/authorized_keys"];
    settings = {
      PasswordAuthentication = false;
      PermitRootLogin = "no";
    };
  };
  networking.firewall.allowedTCPPorts = [2291 80 443];
  services.fail2ban = {
    enable = true;
    jails = {
      "nginx".settings = {
        filter = "nginx-4";
        logpath = "/var/log/nginx/access.log";
        backend = "auto";
        maxretry = 8;
        bantime = 600;
        findtime = 120;
      };
    };
  };
  environment.etc."fail2ban/filter.d/nginx-4.conf".text = ''
    [Definition]
    failregex = ^<HOST> - - \[.*\] \".*\" (4..).+$
  '';
  services.qemuGuest.enable = true;
  services.forgejo = {
    enable = true;
    database.type = "sqlite3";
    settings = {
      DEFAULT.APP_NAME = "g.twoha.cc";
      server = {
        DOMAIN = "g.twoha.cc";
        ROOT_URL = "https://g.twoha.cc";
        HTTP_PORT = 3333;
        LANDING_PAGE = "explore";
      };
      service.DISABLE_REGISTRATION = true;
    };
  };
  security.acme = {
    acceptTerms = true;
    defaults.email = "admin+acme@twoha.cc";
    certs."twoha.cc" = {
      dnsProvider = "porkbun";
      environmentFile = "/root/porkbun-creds";
      extraDomainNames = ["*.twoha.cc"];
    };
  };
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts."twoha.cc" = {
      useACMEHost = "twoha.cc";
      forceSSL = true;
      serverName = "twoha.cc";
      locations."/".return = 401;
    };
    virtualHosts."u.twoha.cc" = {
      useACMEHost = "twoha.cc";
      forceSSL = true;
      serverName = "u.twoha.cc";
      root = "/var/www/u";
      locations."/".extraConfig = ''
        disable_symlinks off;
        if ($request_uri ~ ^/(.*)\.html) {
          return 302 /$1;
        }
        try_files $uri $uri.html $uri/ =404;
      '';
      locations."/_/".proxyPass = "http://127.0.0.1:5000";
    };
    virtualHosts."mu.twoha.cc" = {
      useACMEHost = "twoha.cc";
      forceSSL = true;
      serverName = "mu.twoha.cc";
      root = "/var/www/mu";
      locations."/".extraConfig = ''
        disable_symlinks off;
        if ($request_uri ~ ^/(.*)\.html) {
          return 302 /$1;
        }
        try_files $uri $uri.html $uri/ =404;
      '';
    };
    virtualHosts."*.twoha.cc" = {
      useACMEHost = "twoha.cc";
      serverName = "*.twoha.cc";
      forceSSL = true;
      locations."/".return = 401;
    };
    virtualHosts."g.twoha.cc" = {
      forceSSL = true;
      useACMEHost = "twoha.cc";
      serverName = "g.twoha.cc";
      extraConfig = ''
        client_max_body_size 512M;
      '';
      locations."/".proxyPass = "http://localhost:3333";
    };
  };
  users.users.nginx.extraGroups = ["acme"];
  services.tailscale.enable = true;
}