nixos-config/hosts/defiant/services/nginx.nix

{ config, values, ... }:
let
  gitea = config.services.gitea.settings;
  keycloak = config.services.keycloak.settings;
in {
  services.nginx = {
    enable = true;
    enableReload = true;

    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;

    defaultListen = [
      {
        addr = "192.168.10.175";
        port = 80;
        ssl = false;
      }
    ];
  };

  networking.firewall.allowedTCPPorts = [
       80   443 # Internal / Default
    43080 43443 # External / Publicly exposed
  ];

  security.acme = {
    acceptTerms = true;
    defaults.email = "felix@albrigtsen.it";
  };

  # Publicly exposed services:

  services.nginx.virtualHosts = let
    publicProxy = upstream: overrides: {
      listen = [
        { addr = "192.168.10.175"; port = 43443; ssl = true; }
        { addr = "192.168.10.175"; port = 43080; ssl = false; }
      ];
      enableACME = true;
      forceSSL = true;

      locations."/".proxyPass = "${upstream}";

      extraConfig = ''
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;

        server_tokens off;
      '';
    } // overrides;
  in {
    "cloud.feal.no" = publicProxy "" {
      locations."/" = {
        proxyPass = "http://challenger.home.feal.no";
        extraConfig = ''
          client_max_body_size 8G;
        '';
      };
    };
    "feal.no" = publicProxy "http://leonard.home.feal.no/" {
      serverAliases = [ "www.feal.no" ];
    };
    "git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" {
      default = true;
    };
    "iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" { };
    "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/" { };
    "kinealbrigtsen.no" = publicProxy "http://leonard.home.feal.no/" {
      serverAliases = [ "www.kinealbrigtsen.no" ];
    };
    "wiki.wackattack.eu" = publicProxy "http://leonard.home.feal.no/" { };
  };
}