{ config, ... }: {
  services = {
    prosody = {
      enable = true;
      xmppComplianceSuite = false;
      admins = [ "kaya@üü.ee" ];
      ssl.cert = "/var/lib/acme/xn--tdaa.ee/fullchain.pem";
      ssl.key = "/var/lib/acme/xn--tdaa.ee/key.pem";
      virtualHosts = {
        "üü.ee" = {
          enabled = true;
          domain = "üü.ee";
          ssl.cert = "/var/lib/acme/xn--tdaa.ee/fullchain.pem";
          ssl.key = "/var/lib/acme/xn--tdaa.ee/key.pem";
        };

        "xn--tdaa.ee" = {
          enabled = true;
          domain = "xn--tdaa.ee";
          ssl.cert = "/var/lib/acme/xn--tdaa.ee/fullchain.pem";
          ssl.key = "/var/lib/acme/xn--tdaa.ee/key.pem";
        };
      };

      muc = [{
        domain = "conference.üü.ee";
      }];
      uploadHttp = {
        domain = "upload.üü.ee";
      };

      httpFileShare.domain = "share.üü.ee";
    };

    # üü.ee
    caddy.virtualHosts."üü.ee" = {
      useACMEHost = "xn--tdaa.ee";
      extraConfig = ''
        reverse_proxy :${toString (builtins.elemAt config.services.prosody.httpPorts 0)}
      '';

      serverAliases = [
        "conference.üü.ee"
        "upload.üü.ee"
        "share.üü.ee"
      ];
    };
  };

  users.users.caddy.extraGroups = [
    "prosody" # Caddy needs access to the certs
  ];

  networking.firewall.allowedTCPPorts = [
    5222 # c2s?
    5269 # s2s
  ];

  security.acme.certs."xn--tdaa.ee" = {
    dnsProvider = "cloudflare";
    group = "prosody";
    extraDomainNames = [
      "conference.xn--tdaa.ee"
      "upload.xn--tdaa.ee"
      "share.xn--tdaa.ee"
    ];
    environmentFile = "/etc/secrets/acme.env";
  };
}