{ secrets, ... }:

{
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts."git.colorsky.fun" = {
      forceSSL = true;
      useACMEHost = "colorsky.fun";
      locations."/".proxyPass = "http://localhost:3001";

      extraConfig = ''
        listen [::]:8443 ssl;
      '';
    };

    virtualHosts."napcat.colorsky.fun" = {
      forceSSL = true;
      useACMEHost = "colorsky.fun";
      locations."/".proxyPass = "http://localhost:6099";

      extraConfig = ''
        listen [::]:8443 ssl;
      '';
    };

    virtualHosts."ddns.colorsky.fun" = {
      forceSSL = true;
      useACMEHost = "colorsky.fun";

      locations."/".proxyPass = "http://localhost:9876";

      extraConfig = ''
        listen [::]:8443 ssl;
      '';
    };

    virtualHosts."bot.colorsky.fun" = {
      forceSSL = true;
      useACMEHost = "colorsky.fun";

      locations."/" = {
        proxyPass = "http://localhost:23231";
        proxyWebsockets = true;
      };
      extraConfig = ''
        listen [::]:8443 ssl;
      '';
    };

  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "i@colorsky.fun";
    certs."colorsky.fun" = {
      domain = "*.colorsky.fun";
      dnsProvider = "cloudflare";
      dnsPropagationCheck = true;

      group = "nginx";

      environmentFile = secrets.files.cloudflare-api-key;
    };
  };
}