{
  inputs,
  constants,
  lib,
  ...
}:

let
  ssl = true;

  inherit (lib.utils) mkVirtualHost;
in
{
  imports = [
    inputs.synix.nixosModules.nginx
  ];

  services.nginx = {
    enable = true;
    openFirewall = true;
    forceSSL = ssl;

    commonHttpConfig = ''
      map $http_upgrade $connection_upgrade {
          default upgrade;
          "" 'close';
      }
      access_log syslog:server=unix:/dev/log;
    '';

    virtualHosts."_" = {
      forceSSL = false;
      locations."/.well-known/acme-challenge/" = {
        root = "/var/lib/acme/acme-challenge";
      };
    };
    virtualHosts."${constants.services.docs.fqdn}" = mkVirtualHost {
      inherit ssl;
      address = constants.hosts.rx4.ip;
      port = 80;
    };
    virtualHosts."${constants.services.forgejo.fqdn}" = mkVirtualHost {
      inherit ssl;
      address = constants.hosts.rx4.ip;
      port = constants.services.forgejo.port;
    };
    virtualHosts."${constants.services.jirafeau.fqdn}" = {
      enableACME = ssl;
      forceSSL = ssl;
      locations."/" = {
        proxyPass = "http://${constants.hosts.rx4.ip}";
      };
    };
    virtualHosts."${constants.services.miniflux.fqdn}" = mkVirtualHost {
      inherit ssl;
      address = constants.hosts.rx4.ip;
      port = constants.services.miniflux.port;
    };
    virtualHosts."${constants.services.netdata.fqdn}" = {
      useACMEHost = "sid-internal";
      forceSSL = ssl;
      locations."/" = {
        # proxyPass = "http://${constants.hosts.sid.ip}:${toString constants.services.netdata.port}";
        proxyPass = "http://127.0.0.1:${toString constants.services.netdata.port}";
        proxyWebsockets = true;
      };
    };
    virtualHosts."${constants.services.open-webui-oci.fqdn}" = mkVirtualHost {
      inherit ssl;
      address = constants.hosts.rx4.ip;
      port = constants.services.open-webui-oci.port;
    };
    virtualHosts."${constants.services.rss-bridge.fqdn}" = {
      enableACME = ssl;
      forceSSL = ssl;
      locations."/" = {
        proxyPass = "http://${constants.hosts.rx4.ip}";
      };
    };
    virtualHosts."${constants.services.rsshub-oci.fqdn}" = mkVirtualHost {
      inherit ssl;
      address = constants.hosts.rx4.ip;
      port = constants.services.rsshub-oci.port;
    };
    virtualHosts."${constants.services.vaultwarden.fqdn}" = {
      useACMEHost = "sid-internal";
      forceSSL = ssl;
      locations = {
        "/" = {
          proxyPass = "http://${constants.hosts.rx4.ip}:${toString constants.services.vaultwarden.port}";
        };
      };
    };
    virtualHosts."${constants.services.webdav.fqdn}" = {
      useACMEHost = "sid-internal";
      forceSSL = ssl;
      locations."/" = {
        proxyPass = "http://${constants.hosts.rx4.ip}:${toString constants.services.webdav.port}";
        proxyWebsockets = true;
      };
    };
    # FIXME
    # virtualHosts."print.sid.ovh" = {
    #   enableACME = true;
    #   forceSSL = true;
    #   locations."/" = {
    #     proxyPass = "http://100.64.0.5:631";
    #     proxyWebsockets = true;
    #   };
    # };
  };
}