{ config, lib, pkgs,... }: {
  services.nginx = {
    enable = true;

    recommendedProxySettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;

    virtualHosts =
      let
        base = locations: {
          enableACME = true;
          forceSSL = true;
          inherit locations;
        };

        static = { dir }: base {
          "/".root = dir;
        };

        proxied = { target, extra ? "" }: base {
          "/" = {
            proxyPass = target;
            extraConfig = extra;
          };
        };

        proxiedAuth = { target, extra ? "", auth }: base {
          "/" = {
            proxyPass = target;
            basicAuthFile = auth;
            extraConfig = extra;
          };
        };

        proxiedLAN = { target }: base {
          "/" = {
            proxyPass = target;
            extraConfig = ''
              allow 192.168.0.0/24;
              deny all;
            '';
          };
        };
      in
      {
        "atuin.matri.cx" = proxied { target = "http://127.0.0.1:8888"; };
        "brohan.lol" = static { dir = "/var/www/brohan.lol"; };
        "cache.matri.cx" = proxiedLAN {
          target = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
        };
        "caitlynncox.com" = static { dir = "/var/www/caitlynncox.com"; };
        "dallasmed65.com" = static { dir = "/var/www/dallasmed65.com"; };
        "docker.matri.cx" = proxiedAuth {
          auth = config.age.secrets.htpasswd-dock.path;
          target = "http://127.0.0.1:3001";
          extra = ''
            client_max_body_size 0;
          '';
        };
        "eversole.co" = proxied { target = "http://127.0.0.1:5196"; };
        "flux.matri.cx" = proxied { target = "http://127.0.0.1:26343"; };
        "git.eversole.co" = {
          enableACME = true;
          forceSSL = true;
          locations."/" = { root = "/var/www/git.eversole.co"; tryFiles = "$uri $uri/ @git"; };
          locations."@git" = { proxyPass = "http://127.0.0.1:23232"; priority = 600; };
        };
        "graf.matri.cx" = { root = "/var/www/graf.matri.cx"; }; # refer to /monitoring/nginx.nix
        "hydra.matri.cx" = proxied {
          target = "http://127.0.0.1:3034";
          extra = ''
            proxy_set_header X-Request-Base "https://hydra.matri.cx";
          '';
        };
        "jame.su" = static { dir = "/var/www/jame.su"; };
        "matri.cx" = static { dir = "/var/www/matri.cx"; };
        "media.matri.cx" = proxied { target = "http://127.0.0.1:8096"; };
        "pw.eversole.co" = proxied { target = "http://127.0.0.1:40080"; };
        "sezycei.com" = static { dir = "/var/www/sezycei.com"; };
        "snakebelmont.com" = static { dir = "/var/www/snakebelmont.com"; };
        "transmission.matri.cx" = proxiedLAN { target = "http://127.0.0.1:9091"; };
        "purr.eversole.co" = proxied { target = "http://127.0.0.1:5195"; };
      };
  };
}