{
  config,
  lib,
  ...
}:
let
  cfg = config.machine.searxng;
in
with lib;
mkIf cfg.enable {
  networking.firewall = {
    allowedTCPPorts = [ cfg.port ];
  };

  services.nginx.virtualHosts = mkIf (cfg.domain != null) {
    "${cfg.domain}" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.port}";
        proxyWebsockets = true;
      };
    };
  };
}