nixos-config/hosts/defiant/services/nginx.nix

{ config, values, ... }:
{
  services.nginx = {
    enable = true;
    enableReload = true;

    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;

    defaultListen = [
      {
        addr = "192.168.10.175";
        port = 80;
        ssl = false;
      }
    ];
  };

  networking.firewall.allowedTCPPorts = [
       80   443 # Internal / Default
    43080 43443 # External / Publicly exposed
  ];

  security.acme = {
    acceptTerms = true;
    defaults.email = "felix@albrigtsen.it";
  };

  # Publicly exposed services:

  services.nginx.virtualHosts = let
    publicProxy = upstream: {
      listen = [
        { addr = "192.168.10.175"; port = 43443; ssl = true; }
        { addr = "192.168.10.175"; port = 43080; ssl = false; }
      ];
      enableACME = true;
      forceSSL = true;

      locations."/".proxyPass = "${upstream}";
    };
  in {
    "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/";
    "git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
    "wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/";

    "cloud.feal.no" = {
      listen = [
        { addr = "192.168.10.175"; port = 43443; ssl = true; }
        { addr = "192.168.10.175"; port = 43080; ssl = false; }
      ];
      enableACME = true;
      forceSSL = true;

      extraConfig = ''
        server_tokens off;
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;


        # HSTS settings
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
      '';
      locations."/".proxyPass = "http://nextcloud.home.feal.no/";
    };
  };
}
defiant: Configure matrix-synapse. Remove janeway. 2023-12-25 00:06:26 +01:00			`{ config, values, ... }:`
			`{`
			`services.nginx = {`
			`enable = true;`
			`enableReload = true;`

			`recommendedProxySettings = true;`
			`recommendedTlsSettings = true;`
			`recommendedGzipSettings = true;`
			`recommendedOptimisation = true;`

			`defaultListen = [`
			`{`
			`addr = "192.168.10.175";`
Move more services to defiant. Remove sarek. 2023-12-25 01:37:05 +01:00			`port = 80;`
defiant: Configure matrix-synapse. Remove janeway. 2023-12-25 00:06:26 +01:00			`ssl = false;`
			`}`
			`];`
			`};`

			`networking.firewall.allowedTCPPorts = [`
			`80 443 # Internal / Default`
			`43080 43443 # External / Publicly exposed`
			`];`

			`security.acme = {`
			`acceptTerms = true;`
			`defaults.email = "felix@albrigtsen.it";`
			`};`
Move more services to defiant. Remove sarek. 2023-12-25 01:37:05 +01:00
			`# Publicly exposed services:`

			`services.nginx.virtualHosts = let`
			`publicProxy = upstream: {`
			`listen = [`
			`{ addr = "192.168.10.175"; port = 43443; ssl = true; }`
			`{ addr = "192.168.10.175"; port = 43080; ssl = false; }`
			`];`
			`enableACME = true;`
			`forceSSL = true;`

			`locations."/".proxyPass = "${upstream}";`
			`};`
			`in {`
			`"jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/";`
Move metrics,gitea,vaultwarden from voyager to defiant 2023-12-26 11:45:12 +01:00			`"git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";`
Update DNS, add wackattack proxy 2023-12-25 02:08:15 +01:00			`"wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/";`
voyager: add nextcloud 2024-01-03 02:35:57 +01:00
			`"cloud.feal.no" = {`
			`listen = [`
			`{ addr = "192.168.10.175"; port = 43443; ssl = true; }`
			`{ addr = "192.168.10.175"; port = 43080; ssl = false; }`
			`];`
			`enableACME = true;`
			`forceSSL = true;`

			`extraConfig = ''`
			`server_tokens off;`
			`gzip on;`
			`gzip_vary on;`
			`gzip_comp_level 4;`
			`gzip_min_length 256;`
			`gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;`
			gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;


			`# HSTS settings`
			`# WARNING: Only add the preload option once you read about`
			`# the consequences in https://hstspreload.org/. This option`
			`# will add the domain to a hardcoded list that is shipped`
			`# in all major browsers and getting removed from this list`
			`# could take several months.`
			`#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;`
			`'';`
			`locations."/".proxyPass = "http://nextcloud.home.feal.no/";`
			`};`
Move more services to defiant. Remove sarek. 2023-12-25 01:37:05 +01:00			`};`
defiant: Configure matrix-synapse. Remove janeway. 2023-12-25 00:06:26 +01:00			`}`