{
  config,
  lib,
  ...
}:
let
  inherit (config.machine.prosody)
    enable
    domain
    ;

  localhost = "http://localhost:5280";
in
with lib;
mkIf enable {
  security.acme.certs."${domain}".extraDomainNames = [
    "conference.${domain}"
    "upload.${domain}"
  ];
  users.groups.acme.members = [
    "prosody"
  ];
  services.nginx.virtualHosts =
    with lib;
    mkIf (domain != null) {
      "${domain}".locations = {
        "= /xmpp-websocket" = {
          proxyPass = localhost;
          proxyWebsockets = true;
        };
        "= /http-bind".proxyPass = localhost;
        "/push".proxyPass = localhost;
        "= /.well-known/host-meta".proxyPass = localhost;
        "= /.well-known/host-meta.json".proxyPass = localhost;
      };
      "conference.${domain}" = {
        http3 = true;
        quic = true;
        forceSSL = true;
        kTLS = true;
        useACMEHost = domain;
        sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
        sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem";
        locations."/".proxyPass = localhost;
      };
      "upload.${domain}" = {
        http3 = true;
        quic = true;
        forceSSL = true;
        kTLS = true;
        useACMEHost = domain;
        sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
        sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem";
        locations."/".proxyPass = localhost;
      };
    };
}