{ ... }:
{
  services.nginx.virtualHosts."git.grzb.de" = {
    forceSSL = true;
    enableACME = true;
    listen = [{
      addr = "localhost";
      port = 8443;
      ssl = true;
      extraParameters = ["proxy_protocol"];
    }];
    locations."/" = {
      proxyPass = "http://gitlab.vs.grzb.de:80";
      extraConfig = ''
        gzip off;
        proxy_read_timeout      300;
        proxy_connect_timeout   300;
        proxy_redirect          off;
      '';
    };
    extraConfig = ''
      client_max_body_size 1024m;
      add_header X-Frame-Options DENY;
      add_header X-Content-Type-Options nosniff;

      set_real_ip_from 127.0.0.1;
      real_ip_header proxy_protocol;
    '';
  };
}