{ config, values, ... }:
{
  services.nginx = {
    enable = true;
    enableReload = true;

    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;

    defaultListen = [
      {
        addr = "192.168.10.175";
        port = 80;
        ssl = false;
      }
    ];
  };

  networking.firewall.allowedTCPPorts = [
       80   443 # Internal / Default
    43080 43443 # External / Publicly exposed
  ];

  security.acme = {
    acceptTerms = true;
    defaults.email = "felix@albrigtsen.it";
  };

  # Publicly exposed services:

  services.nginx.virtualHosts = let
    publicProxy = upstream: {
      listen = [
        { addr = "192.168.10.175"; port = 43443; ssl = true; }
        { addr = "192.168.10.175"; port = 43080; ssl = false; }
      ];
      enableACME = true;
      forceSSL = true;

      locations."/".proxyPass = "${upstream}";
    };
  in {
    "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/";
    "git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
    "wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/";

    "cloud.feal.no" = {
      listen = [
        { addr = "192.168.10.175"; port = 43443; ssl = true; }
        { addr = "192.168.10.175"; port = 43080; ssl = false; }
      ];
      enableACME = true;
      forceSSL = true;

      extraConfig = ''
        server_tokens off;
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;


        # HSTS settings
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
      '';
      locations."/".proxyPass = "http://nextcloud.home.feal.no/";
    };
  };
}