{ ... }:
{
  imports = [
    ./virtualHosts
  ];

  services.nginx = {
    enable = true;

    eventsConfig = ''
      worker_connections 1024;
    '';

    appendConfig = ''
      worker_processes auto;

      stream {
        map $ssl_preread_server_name $address {
          anisync.grzb.de 127.0.0.1:8443;
          birdsite.nekover.se 10.202.41.107:8443;
          cloud.nekover.se 10.202.41.122:8443;
          element.nekover.se 127.0.0.1:8443;
          gameserver.grzb.de 127.0.0.1:8443;
          git.grzb.de 127.0.0.1:8443;
          git.nekover.se 10.202.41.106:8443;
          hydra.nekover.se 10.202.41.121:8443;
          id.nekover.se 10.202.41.124:8443;
          matrix.nekover.se 10.202.41.112:8443;
          matrix-auth.nekover.se 10.202.41.112:9443;
          mewtube.nekover.se 127.0.0.1:8443;
          nekover.se 127.0.0.1:8443;
          nix-cache.nekover.se 10.202.41.121:8443;
          searx.nekover.se 10.202.41.105:8443;
          social.nekover.se 10.202.41.104:8443;
        }
        server {
          listen 0.0.0.0:443;
          listen [::]:443;
          proxy_pass $address;
          ssl_preread on;
          proxy_protocol on;
        }
      }
    '';

    appendHttpConfig = ''
      add_header Strict-Transport-Security "max-age=63072000" always;
    '';
  };
}