{ lib, ... }:
{
	imports = [ ../../../common/services/nginx.nix ];
	services.nginx.virtualHosts = {
		"nixaalb.org" = {
			enableACME = true;
			forceSSL = true;
			root = "/var/www/nixaalb.org/public";
			extraConfig = ''
				add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
				add_header 'Referrer-Policy' 'same-origin';
				add_header X-Frame-Options DENY;
				add_header X-Content-Type-Options nosniff;
				add_header X-XSS-Protection "1; mode=block";
				add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
				add_header Onion-Location http://ag6mlqzpyswq3oogpnuykgllnv5gevjew6dshzmotwgnpo5jw2jqltad.onion$request_uri;
		'';
		};
		"vault.dotsrc.org" = {
			forceSSL = true;
			enableACME = true;
			locations."/" = {
				proxyPass = "http://127.0.0.1:8812";
				proxyWebsockets = true;
			};
			locations."/notifications/hub" = {
				proxyPass = "http://127.0.0.1:3012";
				proxyWebsockets = true;
			};
			locations."/notifications/hub/negotiate" = {
				proxyPass = "http://127.0.0.1:8812";
				proxyWebsockets = true;
			};
		};
		"mta-sts.nixaalb.org" = {
			enableACME = true;
			forceSSL = true;
			root = "/var/www/mta-sts/public";
			extraConfig = ''
				add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
				add_header 'Referrer-Policy' 'same-origin';
				add_header X-Frame-Options DENY;
				add_header X-Content-Type-Options nosniff;
				add_header X-XSS-Protection "1; mode=block";
				add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
		'';
		};
		"ag6mlqzpyswq3oogpnuykgllnv5gevjew6dshzmotwgnpo5jw2jqltad.onion" = {
			# TODO: Do this with unix sockets instead
			listen = [ {
								addr = "[::1]";
								port = 8080;
							} ];
			root = "/var/www/nixaalb.org/public";
			extraConfig = ''
				add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
				add_header 'Referrer-Policy' 'same-origin';
				add_header X-Frame-Options DENY;
				add_header X-Content-Type-Options nosniff;
				add_header X-XSS-Protection "1; mode=block";
				add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
		'';

		};
	};

	
}