{ config, pkgs, ... }:

{
  services.caddy = {
    enable = true;
    email = "postmaster@extremist.software";
    virtualHosts = {
      "extremist.software" = {
        useACMEHost = "extremist.software";
        extraConfig = ''
          handle /.well-known/acme-challenge/* {
            root * /var/lib/acme/acme-challenge
            file_server
          }
          handle {
            respond "Hi"
          }
        '';
      };
      
      "git.extremist.software" = {
        extraConfig = ''
          reverse_proxy localhost:3000
        '';
      };

      "mail.extremist.software" = {
        useACMEHost = "extremist.software";
        extraConfig = ''
          handle /.well-known/acme-challenge/* {
            root * /var/lib/acme/acme-challenge
            file_server
          }
          handle {
            reverse_proxy localhost:8080
          }
        '';
      };

      "search.extremist.software" = {
        extraConfig = ''
          reverse_proxy localhost:8082
        '';
      };

      "status.extremist.software" = {
        extraConfig = ''
          reverse_proxy localhost:3001 # Grafana
        '';
      };

      "matrix.extremist.software" = {
        extraConfig = ''
          reverse_proxy /_matrix/* localhost:6167
          reverse_proxy /_synapse/client/* localhost:6167
        '';
      };
    };
  };

  # Configure ACME to fetch Let's Encrypt certificates so they can be shared with other services like Stalwart
  security.acme = {
    acceptTerms = true;
    defaults.email = "postmaster@extremist.software";
    defaults.server = "https://acme-v02.api.letsencrypt.org/directory";
    certs."extremist.software" = {
      webroot = "/var/lib/acme/acme-challenge";
      extraDomainNames = [ "mail.extremist.software" ];
      group = "acme";
    };
  };

  # Ensure Caddy can read the certs too now that they are in the acme group
  users.users.caddy.extraGroups = [ "acme" ];

  networking.firewall.allowedTCPPorts = [ 80 443 ];
}