{ config, pkgs, inputs, ... }:

{
  services.nginx = {
    enable = true;

    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    gitweb = {
      enable = true;
      virtualHost = "git.tsvallender.co.uk";
      location = "/web";
    };
    virtualHosts."git.tsvallender.co.uk" = {
      forceSSL = true;
      enableACME = true;
    };

    virtualHosts."tsvallender.co.uk" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8000";
        extraConfig =
          "proxy_set_header X-Real-IP $remote_addr;" +
          "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" +
          "proxy_set_header X-Forwarded-Proto https;" +
          "proxy_set_header X-Forwarded-Server $host;" +
          "proxy_redirect off;"
        ;
      };
    };

    # Syncthing
    virtualHosts."syncthing.tsvallender.co.uk" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8384";
      };
    };

    # Miniflux
    virtualHosts."feeds.tsvallender.co.uk" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8080";
      };
    };

    # Radicale
    virtualHosts."cal.tsvallender.co.uk" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:5232";
      };
    };

    # Wallabag
    virtualHosts."wb.tsvallender.co.uk" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8485";
      };
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "t+acme@tsvallender.co.uk";
    };
  };
}