{ config, values, ... }: { services.nginx = { enable = true; enableReload = true; recommendedProxySettings = true; recommendedTlsSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; defaultListen = [ { addr = "192.168.10.175"; port = 80; ssl = false; } ]; }; networking.firewall.allowedTCPPorts = [ 80 443 # Internal / Default 43080 43443 # External / Publicly exposed ]; security.acme = { acceptTerms = true; defaults.email = "felix@albrigtsen.it"; }; # Publicly exposed services: services.nginx.virtualHosts = let publicProxy = upstream: { listen = [ { addr = "192.168.10.175"; port = 43443; ssl = true; } { addr = "192.168.10.175"; port = 43080; ssl = false; } ]; enableACME = true; forceSSL = true; locations."/".proxyPass = "${upstream}"; }; in { "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/"; "git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}"; "wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/"; "cloud.feal.no" = { listen = [ { addr = "192.168.10.175"; port = 43443; ssl = true; } { addr = "192.168.10.175"; port = 43080; ssl = false; } ]; enableACME = true; forceSSL = true; extraConfig = '' proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; server_tokens off; # HSTS settings # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; ''; locations."/".proxyPass = "http://voyager.home.feal.no/"; }; }; }