{ config, lib, ... }:
let
  cfg = config.syscfg.server;
  containers = cfg.containers; 
  
  # Function to convert your container config into an NGINX vhost
  mkVhost = name: container: {
    forceSSL = true;
    useACMEHost = "${cfg.hostDomain}";
    locations."/" = {
      proxyPass = "http://${container.ip}:${toString container.port}";
      proxyWebsockets = true; # Recommended for modern apps
    };
  };
in {


security.acme = {
  acceptTerms = true;
  defaults.email = "admin@domain.org";

  certs."${cfg.hostDomain}" = {
    domain = "*.${cfg.hostDomain}";
    extraDomainNames = [ "${cfg.hostDomain}" ]; # Adds the root too
    dnsProvider = "cloudflare"; # Change to your provider
    # File containing your API token (e.g. CLOUDFLARE_DNS_API_TOKEN=...)
    credentialsFile = "/var/lib/secrets/acme-dns.env";
    group = "nginx"; 
  };
};

  services.nginx = {
    enable = true;
    
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts = lib.mapAttrs' (name: value: 
      lib.nameValuePair "${value.subdomain}.${cfg.hostDomain}" (mkVhost name value)
    ) cfg;
  };

  # Open the firewall
  networking.firewall.allowedTCPPorts = [ 80 443 ];
}