{ config, lib, ... }:
let
  inherit (config.networking) fqdn;

  mkVhost =
    attrs:
    let
      isAcme = config.acme.enable;
    in
    {
      forceSSL = isAcme;
      useACMEHost = if isAcme then fqdn else null;
    }
    // attrs;

  mkProxy = port: {
    proxyPass = "http://127.0.0.1:${toString port}/";
  };
in
{
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  services.nginx = {
    enable = true;

    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    recommendedGzipSettings = true;
    recommendedOptimisation = true;

    # services.nginx.virtualHosts."${fqdn}" = {
    #   addSSL = true;
    #   root = "/var/www/myhost.org";
    #   default = true;
    # };

    virtualHosts."git.${fqdn}" = mkVhost {
      locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
    };
  };
}