# Sources for this configuration: # - https://nixos.wiki/wiki/Nginx # - https://nixos.org/manual/nixos/stable/#sec-firewall # - https://git.grzb.de/yuri/nix-infra/-/tree/3896d34f4f7f3b5dd5cbd270a14b56b102ef3a2a/hosts/web-public-2 { config, pkgs, ... }: { services.nginx.streamConfig = '' map $ssl_preread_server_name $address { status.ccchh.net 10.31.206.15:8443; } # Listen on port 443 as a reverse proxy and use PROXY Protocol for the # upstreams. server { listen 0.0.0.0:443; proxy_pass $address; ssl_preread on; proxy_protocol on; } ''; services.nginx.appendHttpConfig = '' map $host $upstream_acme_challenge_host { club-assistant.ccchh.net 10.31.208.10; netbox.ccchh.net 10.31.208.29:31820; light.ccchh.net 10.31.208.23; thinkcccore0.ccchh.net 10.31.242.3; thinkcccore1.ccchh.net 10.31.242.4; thinkcccore2.ccchh.net 10.31.242.5; thinkcccore3.ccchh.net 10.31.242.6; zigbee2mqtt.ccchh.net 10.31.208.25:31820; esphome.ccchh.net 10.31.208.24:31820; proxmox-backup-server.ccchh.net 10.31.208.28; status.ccchh.net 10.31.206.15:31820; default ""; } ''; services.nginx = { enable = true; virtualHosts."well-known_acme-challenge" = { default = true; listen = [{ addr = "0.0.0.0"; port = 80; }]; locations."/.well-known/acme-challenge/" = { proxyPass = "http://$upstream_acme_challenge_host"; }; # Better safe than sorry. # Don't do a permanent redirect to avoid acme challenge pain. locations."/" = { return = "307 https://$host$request_uri"; }; }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedUDPPorts = [ 443 ]; }