{ ... }:
{
  imports = [
    ./virtualHosts
  ];

  services.nginx = {
    enable = true;

    streamConfig = ''
      map $ssl_preread_server_name $address {
        anisync.grzb.de 127.0.0.1:8443;
        birdsite.nekover.se 127.0.0.1:8443;
        element.nekover.se 127.0.0.1:8443;
        gameserver.grzb.de 127.0.0.1:8443;
        git.grzb.de 127.0.0.1:8443;
        hydra.nekover.se 10.202.41.121:8443;
        matrix.nekover.se 127.0.0.1:8443;
        mewtube.nekover.se 127.0.0.1:8443;
        nekover.se 127.0.0.1:8443;
        nextcloud.grzb.de 127.0.0.1:8443;
        nix-cache.nekover.se 10.202.41.121:8443;
        social.nekover.se 127.0.0.1:8443;
        test.grzb.de 127.0.0.1:8443;
      }

      server {
        listen 0.0.0.0:443;
        listen [::]:443;
        proxy_pass $address;
        ssl_preread on;
        proxy_protocol on;
      }
    '';

    appendHttpConfig = ''
      add_header Strict-Transport-Security "max-age=63072000" always;
    '';
  };
}