diff --git a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix index ecb15aa..b26c530 100644 --- a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix +++ b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix @@ -4,6 +4,8 @@ gandi_api = "${config.sops.secrets.gandi_api.path}"; #gandi_dns_pat = "${config.sops.secrets.gandi_dns_pat.path}"; home_domain = "home.technicalissues.us"; + backend_ip = "192.168.20.190"; + mini_watcher = "192.168.23.20"; in { sops.secrets.gandi_api = { sopsFile = ../../../../system/common/secrets.yaml; @@ -57,9 +59,18 @@ in { recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; + appendHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000 always;"; + } + add_header Strict-Transport-Security $hsts_header; + ''; virtualHosts = { - "nix-tester.${home_domain}" = { + "${home_domain}" = { + serverAliases = [ "nix-tester.${home_domain}" ]; default = true; listen = [ { port = http_port; addr = "0.0.0.0"; } @@ -69,6 +80,69 @@ in { acmeRoot = null; addSSL = true; forceSSL = false; + locations."/" = { + return = "200 '

Hello world ;)

'"; + extraConfig = '' + add_header Content-Type text/html; + ''; + }; + }; + "ab.${home_domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyWebsockets = true; + locations."/".proxyPass = "http://${mini_watcher}:13378"; + }; + "atuin.${home_domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyPass = "http://${mini_watcher}:9999"; + }; + "nc.${home_domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + extraConfig = '' + client_max_body_size 0; + underscores_in_headers on; + ''; + locations."/".proxyWebsockets = true; + locations."/".proxyPass = "http://${mini_watcher}:8081"; + locations."/".extraConfig = '' + # these are added per https://www.nicemicro.com/tutorials/debian-snap-nextcloud.html + add_header Front-End-Https on; + proxy_headers_hash_max_size 512; + proxy_headers_hash_bucket_size 64; + proxy_buffering off; + proxy_max_temp_file_size 0; + ''; + }; + "onlyoffice.${home_domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyWebsockets = true; + locations."/".proxyPass = "http://${mini_watcher}:8888"; + }; + "readit.${home_domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyPass = "http://${mini_watcher}:8090"; + }; + "tandoor.${home_domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyPass = "http://${mini_watcher}:8080"; }; }; };