{ config, ... }:
{
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  security.acme = {
    acceptTerms = true;
    defaults.email = "franck@fcuny.net";
    certs = {
      "code.fcuny.net" = {
        domain = "code.fcuny.net";
        dnsProvider = "cloudflare";
        dnsResolver = "1.1.1.1";
        reloadServices = [ "caddy.service" ];
        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-caddy".path;
      };
      "id.fcuny.net" = {
        domain = "id.fcuny.net";
        dnsProvider = "cloudflare";
        dnsResolver = "1.1.1.1";
        reloadServices = [ "caddy.service" ];
        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-caddy".path;
      };
    };
  };

  services.caddy = {
    enable = true;
    email = "franck@fcuny.net";
    globalConfig = ''
      metrics {
        per_host
      }
      admin :2019 {
        origins 127.0.0.1 10.100.0.0/24
      }
    '';
    virtualHosts = {
      forgejo = {
        hostName = "code.fcuny.net";
        useACMEHost = "code.fcuny.net";
        extraConfig = ''
          respond /metrics 403
          reverse_proxy 10.100.0.40:3000
        '';
      };
      auth = {
        hostName = "id.fcuny.net";
        useACMEHost = "id.fcuny.net";
        extraConfig = ''
          reverse_proxy 10.100.0.40:8080
        '';
      };
    };
  };
}