{ config, ... }:

let
  cfg = config.services.hedgedoc.settings;
in
{
  nginx.virtualHosts."${fqdn}" = {
    default = true;
    quic = true;
    kTLS = true;
    forceSSL = true;
    enableACME = true;
    locations = {
      "/" = {
        proxyPass = "http://${cfg.host}:${toString cfg.port}";
        recommendedProxySettings = true;
      };
      "/socket.io/" = {
        proxyPass = "http://${cfg.host}:${toString cfg.port}";
        proxyWebsockets = true;
        recommendedProxySettings = true;
      };
      "/metrics" = {
        proxyPass = "http://${cfg.host}:${toString cfg.port}";
        recommendedProxySettings = true;
        #allow 195.160.173.255;
        #allow 2001:678:760:cccb::ffff;
        #deny all;
      };
      "/status" = {
        proxyPass = "http://${cfg.host}:${toString cfg.port}";
        recommendedProxySettings = true;
        #allow 195.160.173.255;
        #allow 2001:678:760:cccb::ffff;
        #deny all;
      };
    };
  };
}