nixos-config/hosts/defiant/services/nginx.nix

74 lines
2.1 KiB
Nix

{ config, values, ... }:
{
services.nginx = {
enable = true;
enableReload = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
defaultListen = [
{
addr = "192.168.10.175";
port = 80;
ssl = false;
}
];
};
networking.firewall.allowedTCPPorts = [
80 443 # Internal / Default
43080 43443 # External / Publicly exposed
];
security.acme = {
acceptTerms = true;
defaults.email = "felix@albrigtsen.it";
};
# Publicly exposed services:
services.nginx.virtualHosts = let
publicProxy = upstream: {
listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
];
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "${upstream}";
};
in {
"jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/";
"git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
"wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/";
"cloud.feal.no" = {
listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
];
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
server_tokens off;
# HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
'';
locations."/".proxyPass = "http://voyager.home.feal.no/";
};
};
}