{ config, values, ... }:
{
  services.nginx = {
    enable = true;
    enableReload = true;

    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;

    defaultListen = [
      {
        addr = "192.168.10.175";
        port = 80;
        ssl = false;
      }
    ];
  };

  networking.firewall.allowedTCPPorts = [
       80   443 # Internal / Default
    43080 43443 # External / Publicly exposed
  ];

  security.acme = {
    acceptTerms = true;
    defaults.email = "felix@albrigtsen.it";
  };

  # Publicly exposed services:

  services.nginx.virtualHosts = let
    publicProxy = upstream: {
      listen = [
        { addr = "192.168.10.175"; port = 43443; ssl = true; }
        { addr = "192.168.10.175"; port = 43080; ssl = false; }
      ];
      enableACME = true;
      forceSSL = true;

      locations."/".proxyPass = "${upstream}";

      extraConfig = ''
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;

        server_tokens off;
      '';
    };
  in {
    "auth.feal.no" = publicProxy "https://voyager.home.feal.no";
    "cloud.feal.no" = publicProxy "http://voyager.home.feal.no";
    "git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
    "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/";
    "wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/";
  };
}