{ config, pkgs, ... }:

{
	security.acme.defaults.email = "project-a@project-a.space";
	security.acme.acceptTerms = true;

	services.nginx = {
		enable = true;
		defaultSSLListenPort = 444;

		streamConfig = ''
			map $ssl_preread_server_name $name {
				default                marzban;
			}

			upstream marzban {
				server 127.0.0.1:1080;
			}

			server {
				listen 0.0.0.0:443;
				proxy_pass $name;
				ssl_preread on;

				proxy_connect_timeout 5s;
				proxy_timeout 60s;
			}
		'';
	};
}