{ config, ... }:

{
  security.acme = {
    acceptTerms = true;
    defaults.email = "security@lyes.eu";
  };

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts = {
      "lyes.eu" = {
        default = true;
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          root = "/var/data/www/lyes.eu/";
        };
        # extraConfig = ''
        #   allow 82.67.15.247;
        #   deny all;
        # '';
      };
      # 44300
      "auth.lyes.eu" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "https://${config.services.kanidm.serverSettings.bindaddress}";
        };
      };
      # 44301
      "vault.lyes.eu" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}";
          proxyWebsockets = true;
        };
      };
      # 44302
      "manga.lyes.eu" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:${toString config.services.komga.settings.server.port}";
          proxyWebsockets = true;
        };
      };
      # 44303
      "git.lyes.eu" = {
        forceSSL = true;
        enableACME = true;
        extraConfig = ''
          client_max_body_size 512M;
        '';
        locations."/".proxyPass = "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";
      };
      # 8096
      "media.lyes.eu" = {
        forceSSL = true;
        enableACME = true;
        locations = {
          "/".proxyPass = "http://localhost:8096";
          "/metrics" = {
            proxyPass = "http://localhost:8096";
            extraConfig = ''
              allow 127.0.0.1;
              allow ::1;
              allow 185.230.78.13;
              allow 10.13.0.0/24;
              allow 10.13.9.0/24;
              allow 192.168.1.0/30;
              deny  all;
            '';
          };
        };
      };
      # 44304
      "torrent.lyes.eu" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://${config.networking.vpn-netns.vethIP}:${toString config.services.qbittorrent.webuiPort}";
          extraConfig = ''
          		proxy_set_header   Host                  $host;
          		proxy_set_header   X-Real-IP             $remote_addr;
          		proxy_set_header   X-Forwarded-Proto     $scheme;
          		proxy_set_header   X-Forwarded-For       $proxy_add_x_forwarded_for;
          '';
        };
      };

      # 9980
      "collabora.lyes.eu" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:${toString config.services.collabora-online.port}";
          proxyWebsockets = true; # collabora a besoin des websockets
        };
      };
    };
  };
}