{ ... }:
{
  services.nginx.virtualHosts."element.nekover.se" = {
    forceSSL = true;
    enableACME = true;
    listen = [
      {
        addr = "0.0.0.0";
        port = 80;
      }
      {
        addr = "localhost";
        port = 8443;
        ssl = true;
        proxyProtocol = true;
      }
    ];
    locations."/" = {
      proxyPass = "http://element.vs.grzb.de";
      recommendedProxySettings = false;
      extraConfig = ''
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
      '';
    };
    extraConfig = ''
      add_header X-Frame-Options SAMEORIGIN;
      add_header X-Content-Type-Options nosniff;
      add_header X-XSS-Protection "1; mode=block";
      add_header Content-Security-Policy "frame-ancestors 'none'";
    '';
  };
}