{ config, ... }:

{
  security.acme = {
    acceptTerms = true;
    defaults.email = "security@lyes.eu";
  };

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts = {
      "lyes.eu" = {
        default = true;
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          root = "/var/data/www/lyes.eu/";
        };
        # extraConfig = ''
        #   allow 82.67.15.247;
        #   deny all;
        # '';
      };
      # 44300
      "auth.lyes.eu" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "https://${config.services.kanidm.serverSettings.bindaddress}";
        };
      };
      # 44301
      "vault.lyes.eu" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}";
          proxyWebsockets = true;
        };
      };
      # 44302
      "manga.lyes.eu" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:${toString config.services.komga.settings.server.port}";
          proxyWebsockets = true;
        };
      };
      
      # 9980
      "collabora.lyes.eu" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:${toString config.services.collabora-online.port}";
          proxyWebsockets = true; # collabora a besoin des websockets
        };
      };
    };
  };
}