{ inputs, config, pkgs, ... }:
{
  security.acme = {
    acceptTerms = true;
    defaults.email = "jade@schrottkatze.de";
    defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
    defaults.webroot = "/var/lib/acme/acme-challenge";
    certs = {
      "ck.katzen.cafe" = {
        group = "nginx";
        keyType = "rsa4096";
      };
      "meet.katzen.cafe" = {
        group = "nginx";
        keyType = "rsa4096";
      };
      "wiki.phtanum-b.katzen.cafe" = {
        group = "nginx";
        keyType = "rsa4096";
      };
      "mumble.katzen.cafe" = {
        group = "murmur";
        keyType = "rsa4096";
      };
    };
  };

  services.nginx  = {
    enable = true;

    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts = {
      "ck.katzen.cafe" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:3000";
          proxyWebsockets = true;
          extraConfig = ''
              client_max_body_size 8M;

              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto https;
            '';
        };
      };
      "wiki.phtanum-b.katzen.cafe" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:8099";
        };
      };
    };
  };
}