{ config, ... }:

{

  services.caddy = {
    enable = true;
    email = config.constants.postMaster;
    virtualHosts =
      let
        dn = config.constants.domain;
        msfqdn = config.mailserver.fqdn;
        mtfqdn = "matrix.${dn}";
        vaultCfg = config.services.vaultwarden.config;
        wn = s: "/.well-known/${s}";
      in
      {
        "${dn}".extraConfig = let wnm = wn "matrix"; in ''
          header ${wnm}/* Content-Type application/json
          header ${wnm}/* Access-Control-Allow-Origin *
          respond ${wnm}/server `{ "m.server": "${mtfqdn}:443" }`
          respond ${wnm}/client `{
            "m.homeserver": { "base_url": "https://${mtfqdn}" },
            "m.identity_server": { "base_url": "https://${mtfqdn}" }
          }`
        '';
        ${msfqdn} = {
          extraConfig = ''
            file_server ${wn "acme-challenge"}/* {
              root ${config.security.acme.defaults.webroot}/
            }
          '';
          useACMEHost = msfqdn;
        };
        "vault.${dn}".extraConfig =
          ''
            reverse_proxy /notifications/hub/negotiate ${vaultCfg.ROCKET_ADDRESS}:${
              toString vaultCfg.ROCKET_PORT
            }
            reverse_proxy /notifications/hub ${vaultCfg.WEBSOCKET_ADDRESS}:${
              toString vaultCfg.WEBSOCKET_PORT
            }
            reverse_proxy ${vaultCfg.ROCKET_ADDRESS}:${
              toString vaultCfg.ROCKET_PORT
            } {
              header_up X-Real-IP {remote_host}
            }
          '';
      };
  };

  security.acme = {
    acceptTerms = true;
    defaults = {
      email = config.constants.postMaster;
      webroot = "/var/lib/acme/acme-challenge";
    };
  };

}