{ inputs, config, pkgs, ... }:
let 
  domain = "schrottkatze.de";
  vaultwardenSubdomain = "vw";
in {
  security.acme = {
    acceptTerms = true;
    defaults.email = "jade@schrottkatze.de";
    certs = {
      "${vaultwardenSubdomain}.${domain}" = {
        group = "nginx";
        keyType = "rsa2048";
      };
    };
  };

  services.nginx = {
    enable = true;

    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts = {
      "${vaultwardenSubdomain}.${domain}" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:8812"; #changed the default rocket port due to some conflict
          proxyWebsockets = true;
        };
        locations."/notifications/hub" = {
          proxyPass = "http://localhost:3012";
          proxyWebsockets = true;
        };
        locations."/notifications/hub/negotiate" = {
          proxyPass = "http://localhost:8812";
          proxyWebsockets = true;
        };
      };
    };
  };
}