{ flake, ... }:
let
  inherit (flake.config.services) instances;
  inherit (flake.config.machines.devices) eris;
  opencloud = instances.opencloud0;
  service = instances.caddy;
in
{
  services.caddy = {
    enable = true;
    virtualHosts = {
      "${opencloud.domains.url0}" = {
        extraConfig = ''
          reverse_proxy ${eris.ip.address0}:${builtins.toString service.ports.port1} {
            transport http {
              tls
              tls_insecure_skip_verify
            }
          }
        '';
      };
    };
  };

  networking = {
    firewall = {
      allowedTCPPorts = [
        service.ports.port0
        service.ports.port1
      ];
    };
  };
}