{inputs, pkgs, config, ...}:

{
  sops.secrets."CF_DNS_API_TOKEN" = {
    format = "json";
    sopsFile = "${inputs.secrets}/nginx.json";
  };

  sops.secrets."CF_ZONE_API_TOKEN" = {
    format = "json";
    sopsFile = "${inputs.secrets}/nginx.json";
  };

  sops.templates."ACME.env".content = ''
    CF_DNS_API_TOKEN="${config.sops.placeholder."CF_DNS_API_TOKEN"}"
    CF_ZONE_API_TOKEN="${config.sops.placeholder."CF_ZONE_API_TOKEN"}"
  '';

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  security.acme = {
    acceptTerms = true;
    defaults = {
      dnsProvider = "cloudflare";
      environmentFile = config.sops.templates."ACME.env".path;
      email = "nyxerinys5@gmail.com";
    };
  };

  services.nginx = {
    enable = true;
    virtualHosts = {
      "vault.nyxerinys.dev" = {
        addSSL = true;
        enableACME = true;
        acmeRoot = null;

        locations."/" = {
          proxyPass = "http://10.5.0.2:83";
          proxyWebsockets = true;
        };
      };
      "git.nyxerinys.dev" = {
        addSSL = true;
        enableACME = true;
        acmeRoot = null;

        locations."/" = {
          proxyPass = "http://10.5.0.2:3000";
          proxyWebsockets = true;
        };
      };
    };
  };
}