{ config, self, ... }:
let
  inherit (config.networking) fqdn;

  mkVhost =
    attrs:
    let
      acmeEnabled = config.acme.enable;
    in
    {
      forceSSL = acmeEnabled;
      useACMEHost = if acmeEnabled then fqdn else null;
    }
    // attrs;

  mkProxy = port: {
    proxyPass = "http://127.0.0.1:${toString port}/";

    extraConfig = ''
      proxy_buffering off;
      proxy_request_buffering off;
    '';
  };
in
{
  services.nginx = {
    enable = true;

    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    recommendedGzipSettings = true;
    recommendedOptimisation = true;

    virtualHosts."${fqdn}" = mkVhost {
      default = true;

      locations."/" = {
        root = "${self.pins.website}/web-root";

        extraConfig = ''
          ssi on;
        '';
      };
    };

    virtualHosts."git.${fqdn}" = mkVhost {
      locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
    };
  };

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
}