{ flake, ... }:
let
  inherit (flake.config.services) instances;
  inherit (flake.config.machines) devices;

  domain0 = instances.web.domains.url0;
  service = instances.caddy;
  opencloud = instances.opencloud;
in
{
  services.caddy = {
    enable = true;
    virtualHosts = {
      "${domain0}" = {
        extraConfig = ''
          tls /var/lib/acme/${domain0}/fullchain.pem /var/lib/acme/${domain0}/key.pem
          encode zstd gzip
        '';
      };
      # "${opencloud.domains.url0}" = {
      #   extraConfig = ''
      #     reverse_proxy http://${devices.eris.ip.address0}:${builtins.toString service.ports.port4}
      #     tls ${opencloud.ssl.cert} ${opencloud.ssl.key}
      #   '';
      # };
    };
  };
  users.users.${service.name}.extraGroups = [
    "acme"
    "mastodon"
    "firefly-iii"
  ];

  networking = {
    firewall = {
      allowedTCPPorts = [
        service.ports.port0
        service.ports.port1
      ];
    };
  };
}