{ ... }:
{
  services.nginx.virtualHosts."anisync.grzb.de" = {
    forceSSL = true;
    enableACME = true;
    listen = [
      { 
        addr = "localhost";
        port = 1234;
      } # workaround for enableACME check
      {
        addr = "localhost";
        port = 8443;
        ssl = true;
        proxyProtocol = true;
      }
    ];
    locations."/" = {
      proxyPass = "http://anisync.vs.grzb.de:8080";
      proxyWebsockets = true;
    };
    extraConfig = ''
      add_header X-Content-Type-Options nosniff;
    '';
  };
}