{
  lib,
  config,
  ...
}: let
  inherit (lib) mkEnableOption mkIf mkOption types;
  cfg = config.horseman.containers.nginx;
in {
  options = {
    horseman.containers.nginx = {
      enable = mkEnableOption "nginx container";

      domain = mkOption {
        type = types.str;
        default = "koendev.nl";
      };
    };
  };

  config = mkIf cfg.enable {
    security.acme = {
      acceptTerms = true;
      defaults.email = "koen.de.ruiter@hotmail.com";
    };

    services.fail2ban.enable = true;
    services.nginx = {
      enable = true;

      streamConfig = ''
        server {
          listen ${toString config.horseman.containers.forgejo.sshPort};
          proxy_pass ${config.containers.forgejo.localAddress}:${toString config.horseman.containers.forgejo.sshPort};
        }
      '';

      virtualHosts = {
        "${cfg.domain}" = {
          forceSSL = true;
          enableACME = true;

          root = "/var/www/portfolio";
          default = true;
          extraConfig = ''
            error_page 404 /404.html;
          '';
        };

        "public.${cfg.domain}" = {
          forceSSL = true;
          enableACME = true;

          root = "/var/www/public";
        };

        "git.${cfg.domain}" = {
          forceSSL = true;
          enableACME = true;

          locations."/" = {
            proxyPass = "http://${config.containers.forgejo.localAddress}:${toString config.horseman.containers.forgejo.port}";
          };
        };

        "vault.${cfg.domain}" = {
          forceSSL = true;
          enableACME = true;

          locations."/" = {
            proxyPass = "http://${config.containers.vaultwarden.localAddress}:${toString config.horseman.containers.vaultwarden.port}";
          };
        };
      };
    };

    networking = {
      firewall = {
        enable = true;
        allowedTCPPorts = [80 443 config.horseman.containers.forgejo.sshPort];
      };
    };
  };
}