{ ... }:
{
  services.nginx.virtualHosts."git.grzb.de" = {
    forceSSL = true;
    enableACME = true;
    listen = [
      { 
        addr = "localhost";
        port = 1234;
      } # workaround for enableACME check
      {
        addr = "localhost";
        port = 8443;
        ssl = true;
        proxyProtocol = true;
      }
    ];
    locations."/" = {
      proxyPass = "http://gitlab.vs.grzb.de:80";
      extraConfig = ''
        gzip off;
        proxy_read_timeout      300;
        proxy_connect_timeout   300;
        proxy_redirect          off;
      '';
    };
    extraConfig = ''
      client_max_body_size 1024m;
      add_header X-Frame-Options DENY;
      add_header X-Content-Type-Options nosniff;
    '';
  };
}