{
  config,
  flake,
  ...
}:
let
  inherit (flake.config.services) instances;

  serviceCfg = instances.opencloud;
  interface0Cfg = serviceCfg.interfaces.interface0;
  interface1Cfg = serviceCfg.interfaces.interface1;
  dns0 = instances.web.dns.provider0;
  dns1 = instances.web.dns.provider1;
  host0 = interface0Cfg.domain;
  host1 = "${interface0Cfg.subdomain}.${flake.inputs.linkpage.secrets.domains.projectsite}";
  credPath = "/var/lib/acme/${host0}";
in
{
  security.acme.certs = {
    "${host0}" = {
      dnsProvider = dns0;
      environmentFile = config.sops.secrets."dns/${dns0}".path;
      group = "caddy";
    };
    "${host1}" = {
      dnsProvider = dns1;
      environmentFile = config.sops.secrets."dns/${dns1}".path;
      group = "caddy";
    };
  };

  services.caddy.virtualHosts = {
    "${host0}" = {
      extraConfig = ''
        reverse_proxy ${interface0Cfg.microvm.ip}:${toString serviceCfg.ports.port0} {
          header_up X-Real-IP {remote_host}
        }
        redir /.well-known/carddav /remote.php/dav/ 301
        redir /.well-known/caldav /remote.php/dav/ 301
        tls ${interface0Cfg.ssl.cert} ${interface0Cfg.ssl.key}
      '';
    };
    "${host1}" = {
      extraConfig = ''
        reverse_proxy ${interface1Cfg.microvm.ip}:${toString serviceCfg.ports.port0} {
          header_up X-Real-IP {remote_host}
        }
        redir /.well-known/carddav /remote.php/dav/ 301
        redir /.well-known/caldav /remote.php/dav/ 301
        tls ${credPath}/fullchain.pem ${credPath}/key.pem 
      '';
    };
  };
}