{ config, pkgs, ... }:

{
  services.caddy = {
    enable = true;
    email = config.constants.postMaster;
    virtualHosts =
      let
        dn = config.constants.domain;
        home = "100.64.0.3";
        local = config.constants.localhost;
        msfqdn = config.mailserver.fqdn;
        mtfqdn = "matrix.${dn}";
        portStr = builtins.mapAttrs (n: v: toString v) config.constants.port;
        wn = s: "/.well-known/${s}";
      in
      {
        "${dn}".extraConfig = let wnm = wn "matrix"; in ''
          header ${wnm}/* Content-Type application/json
          header ${wnm}/* Access-Control-Allow-Origin *
          respond ${wnm}/server `{ "m.server": "${mtfqdn}:${portStr.https}" }`
          respond ${wnm}/client `{
            "m.homeserver": { "base_url": "https://${mtfqdn}" },
            "m.identity_server": { "base_url": "https://${mtfqdn}" }
          }`
        '';
        "forgejo.${dn}".extraConfig = ''
          reverse_proxy ${home}:${portStr.forgejo}
        '';
        "headscale.${dn}".extraConfig = ''
          reverse_proxy ${local}:${portStr.headscale}
        '';
        "jellyfin.${dn}".extraConfig = ''
          reverse_proxy ${home}:${portStr.jellyfin}
        '';
        ${msfqdn} = {
          extraConfig = ''
            file_server ${wn "acme-challenge"}/* {
              root ${config.security.acme.defaults.webroot}/
            }
          '';
          useACMEHost = msfqdn;
        };
        "matrix.${dn}".extraConfig = ''
          reverse_proxy /_matrix/* ${home}:${portStr.conduit}
          file_server {
            root ${pkgs.cinny}
          }
        '';
        "vault.${dn}".extraConfig =
          ''
            reverse_proxy ${local}:${portStr.vault} {
              header_up X-Real-IP {remote_host}
            }
          '';
      };
  };

  security.acme = {
    acceptTerms = true;
    defaults = {
      email = config.constants.postMaster;
      webroot = "/var/lib/acme/acme-challenge";
    };
  };

}