{ config, pkgs, ... }:

{
	security.acme.defaults.email = "porject-a@project-a.space";
	security.acme.acceptTerms = true;

	services.nginx = {
		enable = true;
		recommendedTlsSettings = true;
		recommendedOptimisation = true;
		defaultSSLListenPort = 444;

		virtualHosts = {
			"git.project-a.space" = {
				forceSSL = true;
				enableACME = true;
				locations."/" = {
					proxyPass = "http://localhost:3000";
				};
			};
		};

		streamConfig = ''
			map $ssl_preread_server_name $name {
				git.project-a.space		git;	
				default					marzban;
			}

			upstream git {
				server 127.0.0.1:444;
			}

			upstream marzban {
				server 127.0.0.1:1080;
			}

			server {
				listen 0.0.0.0:443;
				listen [::0]:443;
				proxy_pass $name;
				ssl_preread on;
				proxy_connect_timeout 1s;
				proxy_timeout 1h;
				proxy_buffer_size 16k;
			}
		'';
	};
}