{ pkgs, ... }: 
{
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "jade@schrottkatze.de";
      webroot = "/var/lib/acme/acme-challenge";
    };
    certs = {
      #"meet.katzen.cafe" = {
        #group = "nginx";
        #keyType = "rsa4096";
      #};
      "wiki.phtanum-b.katzen.cafe" = {
        group = "nginx";
        keyType = "rsa4096";
      };
      "auth.katzen.cafe" = {
        group = "nginx";
        keyType = "rsa4096";
      };
    };
  };
  services.nginx = {
    enable = true;
    virtualHosts = {
      "wiki.phtanum-b.katzen.cafe" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://127.0.0.2:8081";
        };
      };
      "auth.katzen.cafe" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:8080";
        };
        extraConfig = ''
            proxy_set_header X-Forwarded-For $proxy_protocol_addr;
            proxy_set_header X-Forwarded-Proto $scheme; 
            proxy_set_header Host $host;
          '';
      };
    };

  };
}