{ inputs, config, pkgs, ... }:
{
  security.acme = {
    acceptTerms = true;
    defaults.email = "jade@schrottkatze.de";
    certs = {
      "schrottkatze.de" = {
        group = "nginx";
        keyType = "rsa4096";
      };
      "vw.schrottkatze.de" = {
        group = "nginx";
        keyType = "rsa4096";
      };
      "wolke.schrottkatze.de" = {
        group = "nginx";
        keyType = "rsa4096";
      };
      "s10e.de" = {
        group = "nginx";
        keyType = "rsa4096";
      };
      "synapse.schrottkatze.de" = {
        group = "nginx";
        keyType = "rsa4096";
      };
      "pp.schrottkatze.de" = {
        group = "nginx";
        keyType = "rsa4096";
      };
    };
  };

  environment.systemPackages = [ inputs.meowsite.packages."x86_64-linux".default inputs.gumseite.packages."x86_64-linux".default ];

  services.nginx = {
    enable = true;

    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts = {
      "schrottkatze.de" = {
        forceSSL = true;
        enableACME = true;
        root = "${inputs.meowsite.packages."x86_64-linux".default}";
      };
      "vw.schrottkatze.de" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:8812"; #changed the default rocket port due to some conflict
          proxyWebsockets = true;
        };
        locations."/notifications/hub" = {
          proxyPass = "http://localhost:3012";
          proxyWebsockets = true;
        };
        locations."/notifications/hub/negotiate" = {
          proxyPass = "http://localhost:8812";
          proxyWebsockets = true;
        };
      };
      "wolke.schrottkatze.de" = {
        forceSSL = true;
        enableACME = true;
      };
      "pp.schrottkatze.de" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:9001";
          proxyWebsockets = true;
        };
      };
      "s10e.de" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:8080$request_uri";
        };
      };
      "synapse.schrottkatze.de" = {
        forceSSL = true;
        enableACME = true;
        http2 = true;
        listen = [
          {
            addr = "0.0.0.0";
            port = 443;
            ssl = true;
          }
          {
            addr = "[::]";
            port = 443;
            ssl = true;
          }
          {
            addr = "0.0.0.0";
            port = 8448;
            ssl = true;
          }
          {
            addr = "[::]";
            port = 8448;
            ssl = true;
          }
        ];
        locations."~ ^(/_matrix|/_synapse/client)" = {
          proxyPass = "http://localhost:8008";
          extraConfig = ''
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $host;
            client_max_body_size 2G;
          '';
        };
        extraConfig = "proxy_http_version 1.1;";
      };
    };
  };
}