{
  systemd.tmpfiles.rules = [
    "d /var/www/jankremer.de 755 forgejo-runner users -"
  ];

  services.caddy = {
    enable = true;
    virtualHosts = {
      "jankremer.de:8448".extraConfig = # caddyfile
        ''
          reverse_proxy localhost:6167
        '';

      "jankremer.de".extraConfig = # caddyfile
        ''
          handle /_matrix/* {
            reverse_proxy localhost:6167
          }

          handle /.well-known/matrix/server {
            header Content-Type application/json
            respond `{"m.server": "jankremer.de:443"}` 200
          }

          handle /.well-known/matrix/client {
            header Content-Type application/json
            header Access-Control-Allow-Origin *
            respond `{"m.homeserver": {"base_url": "https://jankremer.de"}}` 200
          }

          handle {
            root * /var/www/jankremer.de
            file_server

            @static {
              path *.css *.js *.woff2 *.woff *.ttf *.png *.jpg *.jpeg *.svg *.ico *.webp
            }
            header @static Cache-Control "public, max-age=31536000, immutable"

            @html {
              path *.html
            }
            header @html Cache-Control "no-cache"
          }

          handle_errors {
            rewrite * /404.html
            file_server
          }
        '';

      "git.jankremer.de".extraConfig = # caddyfile
        ''
          reverse_proxy localhost:3000
        '';

      "jankremer.eu".extraConfig = # caddyfile
        ''
          redir https://jankremer.de{uri} permanent
        '';

      "git.jankremer.eu".extraConfig = # caddyfile
        ''
          redir https://git.jankremer.de{uri} permanent
        '';
    };
  };

  networking.firewall.allowedTCPPorts = [
    80
    443
    8448
  ];
}