{ pkgs
, storage
, const
, host
, util
, domain
, mkContainer
, mkContainerConfig
, ... } @args: let
	path = "${storage}/proxy";
	virtualHosts = util.catSet (util.ls ./proxy/host) args;
in {
	systemd.tmpfiles.rules = map (
		dirName: "d '${path}/${dirName}' 1777 root root - -"
	) [ "challenge" "letsencrypt" ];

	containers.proxy = mkContainer {
		autoStart      = true;
		hostAddress    = host;
		localAddress   = "10.1.0.2";
		privateNetwork = true;

		bindMounts = {
			"/etc/letsencrypt" = {
				hostPath   = "${path}/letsencrypt";
				isReadOnly = true;
			};
			"/var/www/.well-known" = {
				hostPath   = "${path}/challenge";
				isReadOnly = false;
			};
		};

		config = { config, lib, pkgs, ... }: mkContainerConfig {
			system.stateVersion = const.stateVersion;

			users.users.root.password = "";
			users.mutableUsers = false;

			networking = {
				useHostResolvConf = lib.mkForce false;
				firewall.enable = false;
			};

			environment.systemPackages = with pkgs; [ certbot ];

			services.nginx = {
				inherit virtualHosts;

				enable = true;
				recommendedOptimisation  = true;
				recommendedProxySettings = true;
				appendConfig = util.trimTabs ''
					worker_processes 4;
				'';
				eventsConfig = util.trimTabs ''
					worker_connections 4096;
				'';
				appendHttpConfig = util.trimTabs ''
					server {
						server_name default_server;
						listen 80;

						location / {
							return 301 https://$host$request_uri;
						}
					}

					map $http_accept_language $resume {
						default https://git.${domain}/voronind/resume/releases/download/latest/voronind_en.pdf;
						~ru     https://git.${domain}/voronind/resume/releases/download/latest/voronind_ru.pdf;
					}

					server {
						server_name ${domain};
						listen 443 ssl;

						ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
						ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
						include /etc/letsencrypt/conf/options-ssl-nginx.conf;
						ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;

						return 301 $resume;
					}

					server {
						listen 443 ssl default_server;
						server_name _;

						ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
						ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
						include /etc/letsencrypt/conf/options-ssl-nginx.conf;
						ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;

						return 403;
					}
				'';
			};
		};
	};
}