{ pkgs, ... }: { security.acme = { acceptTerms = true; defaults = { email = "jade@schrottkatze.de"; webroot = "/var/lib/acme/acme-challenge"; }; certs = { "meet.katzen.cafe" = { group = "nginx"; keyType = "rsa4096"; }; "miau.katzen.cafe" = { group = "nginx"; keyType = "rsa4096"; }; "forge.katzen.cafe" = { group = "nginx"; keyType = "rsa4096"; }; "wiki.phtanum-b.katzen.cafe" = { group = "nginx"; keyType = "rsa4096"; }; "wiki.katzen.cafe" = { group = "nginx"; keyType = "rsa4096"; }; "auth.katzen.cafe" = { group = "nginx"; keyType = "rsa4096"; }; "design.katzen.cafe" = { group = "nginx"; keyType = "rsa4096"; }; "ck.katzen.cafe" = { group = "nginx"; keyType = "rsa4096"; }; "mumble.katzen.cafe" = { group = "murmur"; keyType = "rsa4096"; }; "hc-vault.katzen.cafe" = { group = "nginx"; keyType = "rsa4096"; }; "grafana.katzen.cafe" = { group = "nginx"; keyType = "rsa4096"; }; "wolke.katzen.cafe" = { group = "nginx"; keyType = "rsa4096"; }; # "prosody.katzen.cafe" = { # group = "prosody"; # keyType = "rsa4096"; # extraDomainNames = [ # "uploads.prosody.katzen.cafe" # "conference.prosody.katzen.cafe" # ]; # }; }; }; users.users.nginx.extraGroups = [ "acme" ]; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; recommendedProxySettings = true; statusPage = true; virtualHosts = { "miau.katzen.cafe" = { forceSSL = true; enableACME = true; locations."/" = { root = "/var/www/miau"; }; }; "_.katzen.cafe" = { # Catchall vhost, will redirect users to HTTPS for all vhosts serverAliases = [ "*.katzen.cafe" ]; locations."/.well-known/acme-challenge" = { root = "/var/lib/acme/acme-challenge"; }; locations."/" = { return = "301 https://$host$request_uri"; root = "/var/www/miau"; }; }; "grafana.katzen.cafe" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:2343"; proxyWebsockets = true; }; }; "ck.katzen.cafe" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:3000"; proxyWebsockets = true; extraConfig = '' client_max_body_size 8M; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; ''; }; }; "forge.katzen.cafe" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:8082"; }; }; "auth.katzen.cafe" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.3:8080"; # proxy_set_header Host $host; extraConfig = '' proxy_buffers 4 256k; proxy_buffer_size 128k; proxy_busy_buffers_size 256k; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_protocol_addr; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ''; }; #extraConfig = '' #''; }; "design.katzen.cafe" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:9001"; proxyWebsockets = true; }; }; "wiki.katzen.cafe" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://10.0.2.2"; }; }; "wiki.phtanum-b.katzen.cafe" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://10.0.1.2"; }; }; "wolke.katzen.cafe" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://10.0.3.2"; }; extraConfig = '' add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; ''; }; }; }; }