{config, ...}: {
  services.znc = {
    enable = true;
    openFirewall = true;
    mutable = true;
    useLegacyConfig = false;
    config = {
      SSLCertFile = "/var/lib/acme/znc.tonybtw.com/full.pem";
      LoadModule = ["webadmin" "adminlog"];
      Listener.l = {
        Port = 6697;
        SSL = true;
      };
      Listener.http = {
        Port = 6680;
        SSL = false;
        AllowWeb = true;
        AllowIRC = false;
      };
      User.tony = {
        Admin = true;
        Nick = "tonybtw";
        AltNick = "tonybtw_";
        Ident = "tony";
        RealName = "tony";
        LoadModule = ["chansaver" "controlpanel"];
        Network.libera = {
          Server = "irc.libera.chat +6697";
          LoadModule = ["simple_away" "sasl" "nickserv" "log"];
          Chan = {
            "#technicalrenaissance" = {};
          };
        };
        Pass.password = {
          Method = "sha256";
          Hash = "97ffb83f9bd78b863e473a271a3a5560d392c8879ae92c8db29a59e42e6d09e0";
          Salt = "F-vUQiMO?R0EPUEtk*Gt";
        };
      };
    };
  };

  services.nginx.virtualHosts."znc.tonybtw.com" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:6680";
      extraConfig = ''
        proxy_http_version 1.1;
        proxy_set_header Host $host;
      '';
    };
  };

  security.acme.certs."znc.tonybtw.com".group = "znc";
  users.users.nginx.extraGroups = ["znc"];

  networking.firewall.allowedTCPPorts = [6697];
}