{ inputs, pkgs, ... }: let # striped-front = inputs.striped-front; sin-address = "192.168.1.14"; authelia-snippets = pkgs.callPackage ./lib/autheliaSnippets.nix { inherit pkgs; }; in { networking.firewall.allowedTCPPorts = [ 80 443 8448 ]; services.nginx = { enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts = let mkStarr = host: port: { "${host}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://${sin-address}:${port}"; proxyWebsockets = true; extraConfig = '' proxy_ssl_server_name on; proxy_read_timeout 4800s; ''; }; }; }; in ( mkStarr "jellyfin.shobu.fr" "8096" # // mkStarr "radarr.shobu.fr" "7878" // mkStarr "sonarr.shobu.fr" "8989" // mkStarr "prowlarr.shobu.fr" "9696" // mkStarr "bazarr.shobu.fr" "6767" // mkStarr "lidarr.shobu.fr" "8686" // mkStarr "whisparr.shobu.fr" "6969" // mkStarr "jellyseerr.shobu.fr" "5055" // mkStarr "transmission.shobu.fr" "9091" // mkStarr "zimablade-admin.shobu.fr" "61208" // { "radarr.shobu.fr" = { enableACME = true; forceSSL = true; extraConfig = '' include ${authelia-snippets.authelia-location}; error_log /var/log/nginx/debug_radarr.log debug; ''; locations."/" = { proxyPass = "http://${sin-address}:7878"; proxyWebsockets = true; extraConfig = '' include ${authelia-snippets.proxy}; include ${authelia-snippets.authelia-authrequest}; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # From https://gist.github.com/R0GGER/916183fca41f02df1471a6f455e5869f # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) add_header Strict-Transport-Security "max-age=63072000; preload" always; add_header Referrer-Policy strict-origin-when-cross-origin; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options SAMEORIGIN; add_header Content-Security-Policy upgrade-insecure-requests; add_header Permissions-Policy interest-cohort=(); add_header Expect-CT 'enforce; max-age=604800'; more_set_headers 'Server: Proxy'; more_clear_headers 'X-Powered-By'; proxy_ssl_server_name on; ''; }; locations."/api" = { proxyPass = "http://${sin-address}:7878"; proxyWebsockets = true; extraConfig = '' proxy_ssl_server_name on; ''; }; }; "shobu.fr" = { enableACME = true; forceSSL = true; root = "${inputs.shoblog-front.packages.x86_64-linux.default}/dist"; }; "data.shobu.fr" = { enableACME = true; forceSSL = true; root = "/mnt/shares/data"; }; "bddtrans.shobu.fr" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://${sin-address}:8001"; extraConfig = '' proxy_ssl_server_name on; ''; }; }; "bddtrans-api.shobu.fr" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://${sin-address}:8000"; proxyWebsockets = true; extraConfig = '' proxy_ssl_server_name on; ''; }; }; # "striped.shobu.fr" = { # enableACME = true; # forceSSL = true; # root = "${striped-front.packages.x86_64-linux.default}/dist"; # }; "dashboard.shobu.fr" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://${sin-address}:8082"; }; }; "git.shobu.fr" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://${sin-address}:3000"; }; }; "files.shobu.fr" = { enableACME = true; forceSSL = true; extraConfig = '' # include ${authelia-snippets.authelia-location}; # error_log /var/log/nginx/debug_files.log debug; ''; locations."/" = { proxyPass = "http://${sin-address}:8086"; extraConfig = '' # include ${authelia-snippets.proxy}; # include ${authelia-snippets.authelia-authrequest}; proxy_set_header X-Real-IP $remote_addr; client_max_body_size 100M; ''; }; }; # "matrix.shobu.fr" = { # forceSSL = true; # enableACME = true; # locations."/".extraConfig = '' # return 404; # ''; # locations."/_matrix".proxyPass = "http://${sin-address}:8008"; # locations."/_synapse/client".proxyPass = "http://${sin-address}:8008"; # locations."/.well-known/matrix/server".proxyPass = "http://${sin-address}:8008/.well-known/matrix/server"; # }; } ); }; security.acme = { acceptTerms = true; defaults.email = "shobu_serhao@proton.me"; }; }