{ config, ... }:

{
  security.acme = {
    acceptTerms = true;
    defaults.email = "security@lyes.eu";
  };

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts = {
      "minish.link" = {
        serverAliases = [
          "www.minish.link"
          "minish.fr"
          "www.minish.fr"
        ];
        default = true;
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          root = "/var/data/www/minish.link/";
        };
        extraConfig = ''
          error_page 404 /404.html;
        '';
      };
      "lyes.eu" = {
        serverAliases = [ "www.lyes.eu" ];
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          root = "/var/data/www/lyes.eu/";
        };
        extraConfig = ''
          error_page 404 /404.html;
        '';
      };
      # 44300
      "auth.minish.link" = {
        serverAliases = [ "auth.lyes.eu" ];
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "https://${config.services.kanidm.server.settings.bindaddress}";
        };
      };
      # 44301
      "vault.minish.link" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}";
          proxyWebsockets = true;
        };
      };
      # 44302
      "manga.minish.link" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:${toString config.services.komga.settings.server.port}";
          proxyWebsockets = true;
        };
      };
      # 44312
      "dl.manga.minish.link" = {
        forceSSL = true;
        enableACME = true;
        locations."/".proxyPass = "http://${config.networking.vpn-netns.vethIP}:${toString config.services.suwayomi-server.settings.server.port}";
      };
      # 44303
      "git.minish.link" = {
        forceSSL = true;
        enableACME = true;
        extraConfig = ''
          client_max_body_size 512M;
        '';
        locations."/".proxyPass = "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";
      };
      # 8096
      "media.minish.link" = {
        forceSSL = true;
        enableACME = true;
        locations = {
          "/".proxyPass = "http://localhost:8096";
          "/metrics" = {
            proxyPass = "http://localhost:8096";
            extraConfig = ''
              allow 127.0.0.1;
              allow ::1;
              allow 185.230.78.13;
              allow 10.13.0.0/24;
              allow 10.13.9.0/24;
              allow 192.168.1.0/30;
              deny  all;
            '';
          };
        };
      };
      # 44304
      "torrent.minish.link" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://${config.networking.vpn-netns.vethIP}:${toString config.services.qbittorrent.webuiPort}";
        };
      };
      # 44305
      "files.minish.link" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:${toString config.services.copyparty.settings.p}";
        };
      };

      # 9980
      "collabora.lyes.eu" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:${toString config.services.collabora-online.port}";
          proxyWebsockets = true; # collabora a besoin des websockets
        };
      };
    };
  };
}