{...}: {
  networking.firewall.allowedTCPPorts = [80];

  services.nginx = {
    enable = true;
    virtualHosts."liljamo.com" = {
      default = true;
      locations."/.well-known/webfinger" = {
        # https://www.authelia.com/integration/openid-connect/tailscale/
        extraConfig = ''
          set $jlres '{"subject": "acct:jonni@liljamo.com", "links": [{"rel": "http://openid.net/specs/connect/1.0/issuer", "href": "https://auth.liljamo.com"}]}';
          if ($request_uri ~ 'resource=acct:jonni@liljamo.com') {
            return 200 $jlres;
          }
          if ($request_uri ~ 'resource=acct%3Ajonni%40liljamo.com') {
            return 200 $jlres;
          }
        '';
      };
    };
  };
}