{
  inputs,
  constants,
  config,
  ...
}:

let
  cfg = config.services.nginx;
in
{
  imports = [
    inputs.synix.nixosModules.nginx
  ];

  security.acme = {
    certs."sid-internal" = {
      domain = constants.services.vaultwarden.fqdn;
      extraDomainNames = [
        constants.services.netdata.fqdn
        constants.services.webdav.fqdn
      ];
      server = "https://${constants.ca-fqdn}:8443/acme/acme/directory";
      group = "nginx";
    };
  };

  systemd.tmpfiles.rules = [
    "d /var/www 0755 gitea-runner ${cfg.group} -"
  ];

  systemd.services.gitea-runner-default.serviceConfig = {
    ReadWritePaths = [ "/var/www" ];
  };

  services.nginx = {
    enable = true;
    openFirewall = true;
    forceSSL = true;

    virtualHosts = {
      "${constants.services.docs.fqdn}" = {
        locations."/" = {
          root = "/var/www/doc";
        };
      };
      "${constants.services.netdata.fqdn}" = {
        forceSSL = true;
        useACMEHost = "sid-internal";
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString constants.services.netdata.port}";
          proxyWebsockets = true;
        };
      };

      "${constants.services.vaultwarden.fqdn}" = {
        forceSSL = true;
        useACMEHost = "sid-internal";
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString constants.services.vaultwarden.port}";
        };
      };

      "${constants.services.webdav.fqdn}" = {
        forceSSL = true;
        useACMEHost = "sid-internal";
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString constants.services.webdav.port}";
          proxyWebsockets = true;
        };
      };
    };
  };
}