nix-infra/config/hosts/esphome/nginx.nix

{ config, ... }:

{
  services.nginx = {
    enable = true;

    virtualHosts = {
      "esphome.ccchh.net" = {
        forceSSL = true;
        enableACME = true;
        serverName = "esphome.ccchh.net";

        listen = [
          {
            addr = "0.0.0.0";
            port = 80;
          }
          {
            addr = "[::]";
            port = 80;
          }
          {
            addr = "0.0.0.0";
            port = 443;
            ssl = true;
          }
          {
            addr = "[::]";
            port = 443;
            ssl = true;
          }
        ];

        locations."/" = {
          proxyPass = "http://${config.services.esphome.address}:${builtins.toString config.services.esphome.port}";
          proxyWebsockets = true;
        };
      };
      "esphome.z9.ccchh.net" = {
        forceSSL = true;
        useACMEHost = "esphome.ccchh.net";
        serverName = "esphome.z9.ccchh.net";

        listen = [
          {
            addr = "0.0.0.0";
            port = 80;
          }
          {
            addr = "[::]";
            port = 80;
          }
          {
            addr = "0.0.0.0";
            port = 443;
            ssl = true;
          }
          {
            addr = "[::]";
            port = 443;
            ssl = true;
          }
        ];

        globalRedirect = "esphome.ccchh.net";
        redirectCode = 307;
      };
    };
  };
  security.acme.certs."esphome.ccchh.net".extraDomainNames = [ "esphome.z9.ccchh.net" ];

  networking.firewall.allowedTCPPorts = [ 80 443 ];
}