hosts: { lib, ... }:
	let
		mapMkMerge = builtins.mapAttrs (_host: configs: lib.mkMerge configs);
	in {
		services.nginx = {
			enable = true;
			virtualHosts = {
				"404.cryto.net" = {
					# Pseudo-hostname just to set a default when no Host header is specified
					default = true;
					extraConfig = ''
						return 404;
					'';
				};
			} // mapMkMerge hosts;
		};

		networking.firewall.allowedTCPPorts = [
			80  # HTTP
			443 # HTTPS
		];
	}