{ secrets, ... }:

{
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts."git.colorsky.fun" = {
      forceSSL = true;
      useACMEHost = "colorsky.fun";
      locations."/".proxyPass = "http://localhost:3001";

      extraConfig = ''
        listen [::]:8443 ssl;
      '';
    };

    virtualHosts."napcat.colorsky.fun" = {
      forceSSL = true;
      useACMEHost = "colorsky.fun";
      locations."/".proxyPass = "http://localhost:6099";

      extraConfig = ''
        listen [::]:8443 ssl;
      '';
    };

    virtualHosts."192.168.68.59" = { };
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "i@colorsky.fun";
    certs."colorsky.fun" = {
      domain = "*.colorsky.fun";
      dnsProvider = "cloudflare";
      dnsPropagationCheck = true;

      group = "nginx";

      environmentFile = secrets.files.cloudflare-api-key;
    };
  };
}