{ config, pkgs, ... }:

{
	security.acme.defaults.email = "porject-a@project-a.space";
	security.acme.acceptTerms = true;

	services.nginx = {
		enable = true;
		recommendedTlsSettings = true;
		recommendedOptimisation = true;
		defaultSSLListenPort = 444;

		streamConfig = ''
			map $ssl_preread_server_name $name {
				default                marzban;
			}

			upstream git {
				server 127.0.0.1:444;
			}

			upstream marzban {
				server 127.0.0.1:1080;
			}

			server {
				listen 0.0.0.0:443;
				listen [::0]:443;
				proxy_pass $name;
				ssl_preread on;
				proxy_connect_timeout 30s;
				proxy_timeout 1h;
				proxy_buffer_size 64k;
			}
		'';
	};
}