{ lib, ... }:
{
  services.nginx = {
    enable = true;
    additionalModules = [ ];
    recommendedOptimisation = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    virtualHosts = lib.mkForce { };
    streamConfig = ''
      server {
          listen 34197 udp;
          proxy_pass 100.123.15.72:34197;
          proxy_responses 0;
      }
    '';
    appendHttpConfig = ''
      # Add X-Frame-Options to prevent clickjacking
      add_header X-Frame-Options SAMEORIGIN;

      # Prevent mime type sniffing
      add_header X-Content-Type-Options nosniff;

      # Never send Referer header
      add_header Referrer-Policy no-referrer;

      # Require CORS or CORP headers for cross-origin resources
      add_header Cross-Origin-Embedder-Policy require-corp;

      # Keep our own Browsing Context Group
      add_header Cross-Origin-Opener-Policy same-origin;

      # Sites that require CORP will not load my assets
      add_header Cross-Origin-Resource-Policy same-origin;
    '';
  };
}