{ flake, config, ... }:
let
  inherit (flake.config.services) instances;
  serviceCfg = instances.qbittorrent;
  interface0Cfg = serviceCfg.interfaces.interface0;
  host0 = interface0Cfg.domain;
  dns0 = instances.web.dns.provider0;
  dns0Path = "dns/${dns0}";
in
{
  security.acme.certs."${host0}" = {
    dnsProvider = dns0;
    environmentFile = config.sops.secrets.${dns0Path}.path;
    group = "caddy";
  };
  services = {
    caddy = {
      virtualHosts = {
        "${host0}" = {
          extraConfig = ''
            basic_auth {
              {$CADDY_AUTH_USER} {$CADDY_AUTH_PASSWORD_HASH}
            }
            reverse_proxy ${interface0Cfg.microvm.ip}:${toString serviceCfg.ports.port0}
            tls ${interface0Cfg.ssl.cert} ${interface0Cfg.ssl.key}
            encode zstd gzip
          '';
        };
      };
    };
  };
}