{ config, values, ... }: let gitea = config.services.gitea.settings; keycloak = config.services.keycloak.settings; in { services.nginx = { enable = true; enableReload = true; recommendedProxySettings = true; recommendedTlsSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; defaultListen = [ { addr = "192.168.10.175"; port = 80; ssl = false; } ]; }; networking.firewall.allowedTCPPorts = [ 80 443 # Internal / Default 43080 43443 # External / Publicly exposed ]; security.acme = { acceptTerms = true; defaults.email = "felix@albrigtsen.it"; }; # Publicly exposed services: services.nginx.virtualHosts = let publicProxy = upstream: overrides: { listen = [ { addr = "192.168.10.175"; port = 43443; ssl = true; } { addr = "192.168.10.175"; port = 43080; ssl = false; } ]; enableACME = true; forceSSL = true; locations."/".proxyPass = "${upstream}"; extraConfig = '' proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; server_tokens off; ''; } // overrides; in { "auth.feal.no" = publicProxy "" { locations."/" = { proxyPass = "https://voyager.home.feal.no:8300"; extraConfig = '' proxy_ssl_verify off; ''; }; }; "cloud.feal.no" = publicProxy "http://voyager.home.feal.no" {}; "git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" {}; "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/" {}; "iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" {}; }; }