{ pkgs, ... }: let ccchhBrandingResources = pkgs.fetchgit { url = "https://gitlab.hamburg.ccc.de/ccchh/ccchh-branding.git"; rev = "232dfa89ede1414db58576a491021e15c16a5133"; hash = "sha256-qhNcvkRpLJmFg8yQYUJ6rV0HdTRDcl5Cp/lJ/tL2Q4w="; }; in { services.nginx.virtualHosts = { "acme-branding-resources.hamburg.ccc.de" = { enableACME = true; serverName = "branding-resources.hamburg.ccc.de"; listen = [ { addr = "0.0.0.0"; port = 31820; } ]; }; "branding-resources.hamburg.ccc.de" = { forceSSL = true; useACMEHost = "branding-resources.hamburg.ccc.de"; listen = [ { addr = "0.0.0.0"; port = 8443; ssl = true; extraParameters = [ "proxy_protocol" ]; } ]; root = pkgs.buildEnv { name = "ccchh-branding-resources"; paths = [ ccchhBrandingResources ]; }; extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; ''; }; }; }