{ self, config, ... }:

{
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    virtualHosts = {
      "clan-war.net" = {
        enableACME = true;
        forceSSL = true;
        locations = {
          "/".root = "${
            self.legacyPackages.${config.nixpkgs.hostPlatform.system}.web.override {
              withBackendUrl = "https://clan-war.net/api/v1";
            }
          }/";
          "/api".proxyPass = "http://localhost:8080/api";
        };
      };
      "api.clan-war.net" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:8080";
          extraConfig = ''
            proxy_set_header Access-Control-Allow-Origin https://clan-war.net;
          '';
        };
      };
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "security@clan-war.net";
  };

  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 80 ];
    allowedUDPPorts = [ 80 ];
  };
}