{ config, values, ... }: { services.nginx = { enable = true; enableReload = true; recommendedProxySettings = true; recommendedTlsSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; defaultListen = [ { addr = "192.168.10.175"; port = 80; ssl = false; } ]; }; networking.firewall.allowedTCPPorts = [ 80 443 # Internal / Default 43080 43443 # External / Publicly exposed ]; security.acme = { acceptTerms = true; defaults.email = "felix@albrigtsen.it"; }; # Publicly exposed services: services.nginx.virtualHosts = let publicProxy = upstream: { listen = [ { addr = "192.168.10.175"; port = 43443; ssl = true; } { addr = "192.168.10.175"; port = 43080; ssl = false; } ]; enableACME = true; forceSSL = true; locations."/".proxyPass = "${upstream}"; extraConfig = '' proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; server_tokens off; ''; }; in { "auth.feal.no" = publicProxy "https://voyager.home.feal.no"; "cloud.feal.no" = publicProxy "http://voyager.home.feal.no"; "git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}"; "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/"; "wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/"; }; }