{ inputs, ... }:
let
  website = inputs.website.packages."x86_64-linux".default;
in
{
  imports = [
    ./git.nix
  ];

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  services.caddy = {
    enable = true;
    virtualHosts."oxapentane.com" = {
      serverAliases = [ "www.oxapentane.com" ];
      extraConfig = ''
        # conduit
        @matrix {
            path /.well-known/matrix/*
            path /_matrix/*
        }

        route {
            header /.well-known/matrix/* Access-Control-Allow-Origin *

            reverse_proxy @matrix 10.89.88.16:6167

            # file server
            file_server {
                root ${website}
                index index.html
            }
        }
      '';
    };

    virtualHosts."auth.oxapentane.com".extraConfig = ''
      reverse_proxy 10.89.88.11:9000 [fd31:185d:722f::11]:9000
    '';

    virtualHosts."dav.oxapentane.com".extraConfig = ''
      route {
          reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000

          forward_auth 10.89.88.11:9000 {
              uri /outpost.goauthentik.io/auth/caddy
              copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version X-Authentik-Username>X-Remote-User
              trusted_proxies 10.89.88.11 fd31:185d:722f::11
          }
      }
      reverse_proxy 10.89.88.12:5232 [fd31:185d:722f::12]:5232

    '';

    virtualHosts."immich.oxapentane.com".extraConfig = ''
      reverse_proxy 10.89.88.13:2283
    '';

    virtualHosts."news.oxapentane.com".extraConfig = "reverse_proxy http://10.89.88.14:8080";

        virtualHosts."music.oxapentane.com".extraConfig = ''
      route {
          reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000

          @protected not path /share/* /rest/*
          forward_auth @protected 10.89.88.11:9000 {
              uri /outpost.goauthentik.io/auth/caddy
              copy_headers X-Authentik-Username>Remote-User
              trusted_proxies 10.89.88.11 fd31:185d:722f::11
          }


          @subsonic path /rest/*
          forward_auth @subsonic 10.89.88.11:9000 {
              uri /outpost.goauthentik.io/auth/caddy
              copy_headers X-Authentik-Username>Remote-User
              @error status 1xx 3xx 4xx 5xx
              handle_response @error {
                  respond <<SUBSONICERR
                  <subsonic-response xmlns="http://subsonic.org/restapi" status="failed" version="1.16.1" type="proxy-auth" serverVersion="n/a" openSubsonic="true">
                    <error code="40" message="Invalid credentials or unsupported client"></error>
                  </subsonic-response>
                  SUBSONICERR 200
              }
              trusted_proxies 10.89.88.11 fd31:185d:722f::11
          }
      }
      reverse_proxy 10.89.88.17:4533

    '';

  };
}