{
  flake,
  config,
  ...
}:
let

  inherit (flake.config.services) instances;
  serviceCfg = instances.firefly-iii;
  interfaceCfg = serviceCfg.interfaces.interface0;
  host = interfaceCfg.domain;
  dns0 = instances.web.dns.provider0;
  dns0Path = "dns/${dns0}";
in
{
  security.acme.certs."${host}" = {
    dnsProvider = dns0;
    environmentFile = config.sops.secrets.${dns0Path}.path;
    group = "caddy";
  };

  services.caddy.virtualHosts."${host}" = {
    extraConfig = ''
      reverse_proxy http://${interfaceCfg.microvm.ip}:80 {
        header_up X-Forwarded-Proto https
        header_up X-Forwarded-Host {host}
      }

      tls ${interfaceCfg.ssl.cert} ${interfaceCfg.ssl.key}

      encode zstd gzip
    '';
  };
}