{
  flake,
  config,
  ...
}: let
  inherit (flake.config.machines.devices) server;
  inherit (flake.config.services.instances) upRootNutrition web;
  service = upRootNutrition;
  localhost = web.localhost.address0;
  host = web.domains.url3;
in {
  services = {
    caddy = {
      virtualHosts = {
        "${host}" = {
          extraConfig = ''

            root * /var/lib/website

            file_server

            try_files {path} /index.html
            encode gzip

            header {
              # Disable FLoC tracking
              Permissions-Policy interest-cohort=()
              # Enable HSTS
              Strict-Transport-Security "max-age=31536000; includeSubDomains"
              # Prevent MIME-type sniffing
              X-Content-Type-Options nosniff

              tls ${service.ssl.cert} ${service.ssl.key}
          '';
        };
      };
    };
  };
}