{
  config,
  lib,
  pkgs,
  ...
}:
{
  imports = [
    ./hardware-configuration.nix
  ];

  networking.hostName = "proxy";
  networking.interfaces.ens18.ipv4.addresses = [
    {
      address = "141.56.51.1";
      prefixLength = 24;
    }
  ];

  networking.defaultGateway.address = "141.56.51.254";
  networking.nameservers = [
    "9.9.9.9"
    "1.1.1.1"
  ];
  security.acme = {
    certs."stura.htw-dresden.de" = {
      listenHTTP = "127.0.0.1:8888";
      postRun = ''
        cat cert.pem key.pem > full.pem
        chmod 640 full.pem
        systemctl reload haproxy
      '';
    };
  };

# give haproxy access to the cert files
users.users.haproxy.extraGroups = [ "acme" ];

systemd.services.haproxy = {
  after = [ "acme-finished-stura.htw-dresden.de.target" ];
  wants = [ "acme-finished-stura.htw-dresden.de.target" ];
};

services = {
    openssh.enable = true;
    haproxy = {
      enable = true;
      config = ''
        global
          log /dev/log local0
          maxconn 4096
          # for ACME/Let's Encrypt cert + key in one file:
          crt-base /var/lib/acme

        defaults
          log global
          mode tcp
          option tcplog
          timeout connect 5s
          timeout client  30s
          timeout server  30s

            # ---- HTTP (port 80) for ACME challenges ----
        frontend http_in
          bind *:80
          mode http
          option httplog

          acl is_acme path_beg /.well-known/acme-challenge/
          acl is_my_domain hdr(host) -i stura.htw-dresden.de
          use_backend acme_backend if is_acme is_my_domain
          # redirect everything else to HTTPS
          redirect scheme https code 301 if !is_acme

        backend acme_backend
          mode http
          server acme 127.0.0.1:8888 check


        # ---- SNI routing (TCP, peek at handshake) ----
        frontend sni_router
          bind *:443
          mode tcp
          tcp-request inspect-delay 5s
          tcp-request content accept if { req_ssl_hello_type 1 }

          # terminated here
          use_backend terminate_plone if { req_ssl_sni -i stura.htw-dresden.de }
          # passed through to nginx on remote host
          use_backend tls_passthrough if { req_ssl_sni -i pro.stura.htw-dresden.de }

        backend terminate_plone
          mode tcp
          # loopback to the termination frontend below
          server loopback 127.0.0.1:8443

        backend tls_passthrough
          mode tcp
          server nginx_host 141.56.51.15:443 check

        frontend https_terminated
          bind 127.0.0.1:8443 ssl crt /var/lib/acme/stura.htw-dresden.de/full.pem
          mode http

          default_backend plone_backend

        backend plone_backend
          mode http
          http-request set-header Host stura.htw-dresden.de
          http-request replace-uri ^/(.*)$ /VirtualHostBase/https/stura.htw-dresden.de:443/Plone/VirtualHostRoot/\1
          server plone 141.56.51.5:8080 check

# proxy_pass "http://141.56.51.5:8080/VirtualHostBase/https/stura.htw-dresden.de:443/Plone/VirtualHostRoot/";
      '';
    };
  };


  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  system.stateVersion = "25.11";

}