{pkgs, lib, config, ...}: {
    networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 80 443 ];

    # Generate a test cert
    # sudo openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \
    #   -nodes -keyout test-ssl.key -out test-ssl.crt -subj "/CN=test-ssl" \
    #   -addext "subjectAltName=DNS:test-ssl,DNS:*.test-ssl,IP:10.100.0.2"

    services.nginx = {
        enable = true;
        httpConfig = ''
            index index.html;
            server {
                listen 80 default_server;
                server_name _;
                server_name_in_redirect off;
                root  /var/www/test;
            }
            server {
                listen 443 ssl;
                server_name _;
                server_name_in_redirect off;
                root /var/www/test-ssl;
                ssl_certificate     /etc/ssl/nginx/test-ssl.crt;
                ssl_certificate_key /etc/ssl/nginx/test-ssl.key;
            }
        '';
    };
}