{ flake, config, ... }:
let
  inherit (flake.config.services) instances;
  inherit (flake.config.machines.devices) eris;
  opencloud = instances.opencloud0;
  dns = instances.web.dns.provider0;
  opencloudHost = opencloud.domains.url0;
  dnsPath = "dns/${dns}";
  service = instances.caddy;
in
{
  services.caddy = {
    enable = true;
    virtualHosts = {
      "${opencloud.domains.url0}" = {
        extraConfig = ''
          reverse_proxy ${opencloud.interface.ip}:${toString opencloud.ports.port0} {
            header_up X-Real-IP {remote_host}
          }

          redir /.well-known/carddav /remote.php/dav/ 301
          redir /.well-known/caldav /remote.php/dav/ 301

          tls ${opencloud.ssl.cert} ${opencloud.ssl.key}
        '';
      };
    };
  };
  security.acme.certs."${opencloudHost}" = {
    dnsProvider = dns;
    environmentFile = config.sops.secrets.${dnsPath}.path;
    group = "caddy";
  };
  networking = {
    firewall = {
      allowedTCPPorts = [
        service.ports.port0 # 80
        service.ports.port1 # 443
      ];
    };
  };
}