{ lib
, ...
}:
rec {
  subValue = v:
    if builtins.isList v
    then
      builtins.concatStringsSep " "
        (builtins.map
          (v:
            (if lib.strings.hasPrefix "http" v
            then v
            else "'${v}'"))
          v)
    else toString v;

  headerValue = sep: val:
    if builtins.isAttrs val
    then
      builtins.concatStringsSep "; "
        (lib.attrsets.mapAttrsToList
          (k: v:
            if builtins.isBool v then k else
            "${k}${sep}${subValue v}"
          )
          val)
    else toString val;
  genHeader = header:
    let
      sep = if header == "content-security-policy" then " " else "=";
    in
    value: "${header} \"${headerValue sep value}\"";

  headers = matcher: headers: ''
    header ${matcher} {
      ${builtins.concatStringsSep "\n"
        (lib.attrsets.mapAttrsToList genHeader headers)}
    }
  '';
  security-headers = { matcher ? "", overrides ? { } }: headers matcher ({
    strict-transport-security = {
      max-age = 2 * 365 * 24 * 60 * 60;
    };
    x-content-type-options = "nosniff";
    x-frame-options = "DENY";
  } // overrides);
}