{
  inputs,
  outputs,
  lib,
  config,
  pkgs,
  ...
}: let
  inherit (lib) mkEnableOption mkIf mkOption types;
  cfg = config.horseman.containers.nginx;
  osConfig = config;
in {
  options = {
    horseman.containers.nginx = {
      enable = mkEnableOption "nginx container";
    };
  };

  config = mkIf cfg.enable {
    networking.extraHosts = "192.168.100.1 koendevLocal.nl public.koendevLocal.nl git.koendevLocal.nl vault.koendevLocal.nl";

    containers.nginx = {
      autoStart = true;
      privateNetwork = true;
      hostAddress = "172.16.0.1";
      localAddress = "192.168.100.1";

      bindMounts = {
        "/var/www/portfolio" = {
          hostPath = "/home/horseman/Programming/portfolio/_site";
          isReadOnly = true;
        };
        "/var/www/public" = {
          hostPath = "/home/horseman/Public";
          isReadOnly = true;
        };
      };

      config = {
        config,
        pkgs,
        lib,
        ...
      }: {
        services.nginx = {
          enable = true;

          virtualHosts = {
            "koendevLocal.nl" = {
              # addSSL = false;
              # enableACME = false;
              root = "/var/www/portfolio";
              default = true;
              extraConfig = ''
                error_page 404 /404.html;
              '';

              addSSL = true;
              sslCertificate = "/var/www/portfolio/cert.pem";
              sslCertificateKey = "/var/www/portfolio/key.pem";
            };

            "public.koendevLocal.nl" = {
              root = "/var/www/public";

              addSSL = true;
              sslCertificate = "/var/www/portfolio/cert.pem";
              sslCertificateKey = "/var/www/portfolio/key.pem";
            };

            "git.koendevLocal.nl" = {
              # addSSL = false;
              # enableACME = false;
              locations."/" = {
                proxyPass = "http://${osConfig.containers.forgejo.localAddress}:${toString osConfig.horseman.containers.forgejo.port}";
              };

              addSSL = true;
              sslCertificate = "/var/www/portfolio/cert.pem";
              sslCertificateKey = "/var/www/portfolio/key.pem";
            };

            "vault.koendevLocal.nl" = {
              # addSSL = false;
              # enableACME = false;
              locations."/" = {
                proxyPass = "http://${osConfig.containers.vaultwarden.localAddress}:${toString osConfig.horseman.containers.vaultwarden.port}";
              };

              forceSSL = true;
              sslCertificate = "/var/www/portfolio/cert.pem";
              sslCertificateKey = "/var/www/portfolio/key.pem";
            };
          };
        };

        networking = {
          firewall = {
            enable = true;
            allowedTCPPorts = [80 443];
          };
          useHostResolvConf = lib.mkForce false;
        };
        services.resolved.enable = true;
        system.stateVersion = "23.11";
      };
    };
  };
}