82 lines
2.7 KiB
Nix
82 lines
2.7 KiB
Nix
{ config, values, ... }:
|
|
{
|
|
services.nginx = {
|
|
enable = true;
|
|
enableReload = true;
|
|
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
|
|
defaultListen = [
|
|
{
|
|
addr = "192.168.10.175";
|
|
port = 80;
|
|
ssl = false;
|
|
}
|
|
];
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
80 443 # Internal / Default
|
|
43080 43443 # External / Publicly exposed
|
|
];
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "felix@albrigtsen.it";
|
|
};
|
|
|
|
# Publicly exposed services:
|
|
|
|
services.nginx.virtualHosts = let
|
|
publicProxy = upstream: {
|
|
listen = [
|
|
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
|
|
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
|
|
];
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
locations."/".proxyPass = "${upstream}";
|
|
};
|
|
in {
|
|
"jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/";
|
|
"git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
|
|
"wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/";
|
|
|
|
"cloud.feal.no" = {
|
|
listen = [
|
|
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
|
|
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
|
|
];
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
extraConfig = ''
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
server_tokens off;
|
|
gzip on;
|
|
gzip_vary on;
|
|
gzip_comp_level 4;
|
|
gzip_min_length 256;
|
|
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
|
|
gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
|
|
|
|
|
|
# HSTS settings
|
|
# WARNING: Only add the preload option once you read about
|
|
# the consequences in https://hstspreload.org/. This option
|
|
# will add the domain to a hardcoded list that is shipped
|
|
# in all major browsers and getting removed from this list
|
|
# could take several months.
|
|
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
|
|
'';
|
|
locations."/".proxyPass = "http://nextcloud.home.feal.no/";
|
|
};
|
|
};
|
|
}
|