{ config, ... }:
{
  users.users.nginx.extraGroups = [ "acme" ];

  services.nginx = {
    enable = true;
    virtualHosts."dryb.org" = {
      useACMEHost = "dryb.org";
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8002";
      };
    };
    virtualHosts."adguard.dryb.org" = {
      useACMEHost = "dryb.org";
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8001";
      };
    };
    virtualHosts."${config.services.nextcloud.hostName}" = {
      useACMEHost = "dryb.org";
      forceSSL = true;
    };
    virtualHosts."${config.services.gitea.settings.server.DOMAIN}" = {
      useACMEHost = "dryb.org";
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8003";
      };
    };
    virtualHosts."anki.dryb.org" = {
      useACMEHost = "dryb.org";
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8004";
      };
    };
    virtualHosts."paperless.dryb.org" = {
      useACMEHost = "dryb.org";
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8006";
      };
    };
    virtualHosts."jellyfin.dryb.org" = {
      useACMEHost = "dryb.org";
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8096";
      };
    };
  };

  networking.firewall = {
    allowedTCPPorts = [
      80
      443
    ];
  };
}