{flake, ...}: let
  inherit (flake.config.machines.devices) server;
  inherit (flake.config.people.users) user0;
  inherit (flake.config.services.instances) upRootNutrition web;
  service = upRootNutrition;
  localhost = web.localhost.address0;
  host = web.domains.url3;
in {
  services = {
    caddy = {
      virtualHosts = {
        "${host}" = {
          extraConfig = ''
            root * /var/lib/website/dist
            try_files {path} /index.html
            file_server

            # Optional: Add security headers
            header {
              Strict-Transport-Security "max-age=31536000;"
              X-Content-Type-Options "nosniff"
              X-Frame-Options "DENY"
              Referrer-Policy "strict-origin-when-cross-origin"
            }

            # Your existing redirects
            redir /.well-known/carddav /remote.php/dav/ 301
            redir /.well-known/caldav /remote.php/dav/ 301

            # Only proxy API requests if needed
            @api {
              path /api/*
            }
            reverse_proxy ${localhost}:${toString service.ports.port0}

            tls ${service.ssl.cert} ${service.ssl.key}
          '';
        };
      };
    };
  };
}