{
  config,
  lib,
  pkgs,
  inputs,
  ...
}:

let
  domains = {
    "lmstudio.marvinroman.me" = {
      proxyPass = "http://127.0.0.1:1234";
    };
    "openwebui.marvinroman.me" = {
      proxyPass = "http://127.0.0.1:8080";
    };
  };
  email = "webmaster@marvinroman.me";

  # Paths to secrets managed by agenix
  gceEnvFile = pkgs.writeText "gcloud-credentials.txt" ''
    GCE_PROJECT="magemonkey-dns"
    GCE_SERVICE_ACCOUNT_FILE="${config.age.secrets."gcloud-svc-account".path}"
  '';
in
{
  age.secrets."gcloud-svc-account" = {
    # Used in modules/llm/nginx-proxies.nix
    file = "${inputs.mysecrets}/gcloud-svc-account.age";
    owner = "acme";
    mode = "400";
  };
  services.nginx = {
    enable = true;
    virtualHosts = lib.mapAttrs (name: cfg: {
      enableACME = true;
      forceSSL = true;
      listen = [
        {
          addr = "192.168.0.249";
          port = 443;
          ssl = true;
        }
      ];
      locations."/" = {
        proxyPass = cfg.proxyPass;
        proxyWebsockets = true;
      };
    }) domains;
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = email;
    certs = lib.mapAttrs (name: _: {
      domain = name;
      dnsProvider = "gcloud";
      credentialsFile = gceEnvFile;
      dnsPropagationCheck = true;
      webroot = null;
    }) domains;
  };

  # Open firewall for HTTPS
  networking = {
    extraHosts = ''
      192.168.0.249 lmstudio.marvinroman.me
      192.168.0.249 openwebui.marvinroman.me
    '';
    firewall.allowedTCPPorts = [
      80
      443
    ];
  };
}