{
  pkgs,
  config,
  lib,
  ...
}: {
  options.website.defaultHeaders = lib.mkOption {
    type = lib.types.str;
    default = ''
      header {
        -Server
        -Date
        -Last-Modified
        -Etag
        -Accept-Ranges
        # disable indexing by search engines

        X-Robots-Tag "noindex, nofollow"

       # disable FLoC tracking
        # Permissions-Policy interest-cohort=()

        # enable HSTS
        # Strict-Transport-Security max-age=31536000;

        # disable clients from sniffing the media type
        # X-Content-Type-Options nosniff

        # clickjacking protection
        # X-Frame-Options DENY

        # keep referrer data off of HTTP connections
        # Referrer-Policy no-referrer-when-downgrade
      }
    '';
  };
  config = {
    services.caddy = {
      enable = true;
      virtualHosts = {
        "tzlil.net".extraConfig = ''
          bind 0.0.0.0
          handle_path / {
            try_files ${pkgs.writeText "index.html" ''
             <style>
             @media (prefers-color-scheme: dark) {
                 body { background-color: #121212; color: #d4d4d4; }
                 a { color: #7878ff; }
                 a:visited { color: #6464fa; }
             }
             </style>
             <pre>
            <a href="https://fm.tzlil.net">fm.tzlil.net</a> music
            <a href="https://git.tzlil.net">git.tzlil.net</a> for everything im too embarrased to put on sourcehut
            </pre>
          ''} /
            file_server
          }
        '';
      };
    };
    networking.firewall.allowedTCPPorts = [80 443];

    environment.persistence."/nix/persist".directories = [
      {
        directory = "/var/lib/caddy";
        user = "caddy";
        group = "caddy";
      }
    ];
  };
}