{ flake, config, ... }:
let
  inherit (flake.config.services) instances;
  serviceCfg = instances.website;
  interface0Cfg = serviceCfg.interfaces.interface0;
  interface1Cfg = serviceCfg.interfaces.interface1;
  host0 = interface0Cfg.domain;
  host1 = flake.inputs.linkpage.secrets.domains.projectsite;
  dns0 = instances.web.dns.provider0;
  dns1 = instances.web.dns.provider1;
  dns0Path = "dns/${dns0}";
  dns1Path = "dns/${dns1}";
in

{
  services.caddy = {
    virtualHosts = {
      ${host0}.extraConfig = ''
        reverse_proxy ${interface0Cfg.microvm.ip}:80
        tls ${interface0Cfg.ssl.cert} ${interface0Cfg.ssl.key}
      '';
      ${host1}.extraConfig = ''
        reverse_proxy ${interface1Cfg.microvm.ip}:80
        tls /var/lib/acme/${host1}/fullchain.pem /var/lib/acme/${host1}/key.pem
      '';
    };
  };
  security.acme.certs = {
    ${host0} = {
      dnsProvider = dns0;
      environmentFile = config.sops.secrets."${dns0Path}".path;
    };
    ${host1} = {
      dnsProvider = dns1;
      environmentFile = config.sops.secrets."${dns1Path}".path;
    };
  };
}