{ config, values, ... }: { services.nginx = { enable = true; enableReload = true; recommendedProxySettings = true; recommendedTlsSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; defaultListen = [ { addr = "192.168.10.175"; port = 80; ssl = false; } ]; }; networking.firewall.allowedTCPPorts = [ 80 443 # Internal / Default 43080 43443 # External / Publicly exposed ]; security.acme = { acceptTerms = true; defaults.email = "felix@albrigtsen.it"; }; # Publicly exposed services: services.nginx.virtualHosts = let publicProxy = upstream: { listen = [ { addr = "192.168.10.175"; port = 43443; ssl = true; } { addr = "192.168.10.175"; port = 43080; ssl = false; } ]; enableACME = true; forceSSL = true; locations."/".proxyPass = "${upstream}"; }; in { "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/"; "git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}"; "wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/"; "cloud.feal.no" = { listen = [ { addr = "192.168.10.175"; port = 43443; ssl = true; } { addr = "192.168.10.175"; port = 43080; ssl = false; } ]; enableACME = true; forceSSL = true; extraConfig = '' proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; server_tokens off; gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # HSTS settings # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; ''; locations."/".proxyPass = "http://nextcloud.home.feal.no/"; }; }; }