{ config, ... }:

{
  security.acme = {
    acceptTerms = true;
    defaults.email = "security@lyes.eu";
  };

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts = {
      "auth.lyes.eu" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "https://${config.services.kanidm.serverSettings.bindaddress}";
        };
      };
      "vault.lyes.eu" = {
        locations."/" = {
          proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}";
          proxyWebsockets = true;
        };
      };
    };
  };
}