{ lib, pkgs, config, ... }:
{
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;

    virtualHosts = {
      "pve.infra.cdaut.de" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "https://10.0.0.254:8006";
          extraConfig = "    
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection \"upgrade\";
          ";
        };
      };
      "corerouter.infra.cdaut.de" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://10.0.0.1:80";
        };
      };
      "puppyplaypissparty.de" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "https://10.0.0.4";
          extraConfig = "proxy_ssl_verify off;";
        };
      };
      "tasks.cdaut.de" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://10.0.0.5:3456";
        };
      };
      "new.git.cdaut.de" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://10.0.0.6:3000";
        };
      };
      "tasks.flux-ka.de" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://10.0.0.6:3000";
        };
      };
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "acme@cdaut.de";
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];
}