homelab/hosts/thea/nginx.nix

{ inputs, pkgs, ... }:
let
  # striped-front = inputs.striped-front;

  sin-address = "192.168.1.14";
  authelia-snippets = pkgs.callPackage ./lib/autheliaSnippets.nix { inherit pkgs; };
in
{

  networking.firewall.allowedTCPPorts = [
    80
    443
    8448
  ];

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts =
      let
        mkStarr = host: port: {
          "${host}" = {
            enableACME = true;
            forceSSL = true;

            locations."/" = {
              proxyPass = "http://${sin-address}:${port}";
              proxyWebsockets = true;
              extraConfig = ''
                proxy_ssl_server_name on;
                proxy_read_timeout 4800s;
              '';
            };
          };
        };
      in
      (
        mkStarr "jellyfin.shobu.fr" "8096"
        # // mkStarr "radarr.shobu.fr" "7878"
        // mkStarr "sonarr.shobu.fr" "8989"
        // mkStarr "prowlarr.shobu.fr" "9696"
        // mkStarr "bazarr.shobu.fr" "6767"
        // mkStarr "lidarr.shobu.fr" "8686"
        // mkStarr "whisparr.shobu.fr" "6969"
        // mkStarr "jellyseerr.shobu.fr" "5055"
        // mkStarr "transmission.shobu.fr" "9091"
        // mkStarr "zimablade-admin.shobu.fr" "61208"
        // {
          "radarr.shobu.fr" = {
            enableACME = true;
            forceSSL = true;

            extraConfig = ''
              include ${authelia-snippets.authelia-location};
              error_log /var/log/nginx/debug_radarr.log debug;
            '';

            locations."/" = {
              proxyPass = "http://${sin-address}:7878";
              proxyWebsockets = true;
              extraConfig = ''
                include ${authelia-snippets.proxy};
                include ${authelia-snippets.authelia-authrequest};

                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

                # From https://gist.github.com/R0GGER/916183fca41f02df1471a6f455e5869f
                # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
                add_header Strict-Transport-Security "max-age=63072000; preload" always;
                add_header Referrer-Policy strict-origin-when-cross-origin; 
                add_header X-Content-Type-Options nosniff;
                add_header X-XSS-Protection "1; mode=block";
                add_header X-Frame-Options SAMEORIGIN;
                add_header Content-Security-Policy upgrade-insecure-requests;
                add_header Permissions-Policy interest-cohort=();
                add_header Expect-CT 'enforce; max-age=604800';
                more_set_headers 'Server: Proxy';
                more_clear_headers 'X-Powered-By';

                proxy_ssl_server_name on;
              '';
            };

            locations."/api" = {
              proxyPass = "http://${sin-address}:7878";
              proxyWebsockets = true;
              extraConfig = ''
                proxy_ssl_server_name on;
              '';
            };

          };
          "shobu.fr" = {
            enableACME = true;
            forceSSL = true;

            root = "${inputs.shoblog-front.packages.x86_64-linux.default}/dist";
          };
          "data.shobu.fr" = {
            enableACME = true;
            forceSSL = true;

            root = "/mnt/shares/data";
          };
          "bddtrans.shobu.fr" = {
            enableACME = true;
            forceSSL = true;

            locations."/" = {
              proxyPass = "http://${sin-address}:8001";
              extraConfig = ''
                proxy_ssl_server_name on;
              '';
            };
          };
          "bddtrans-api.shobu.fr" = {
            enableACME = true;
            forceSSL = true;

            locations."/" = {
              proxyPass = "http://${sin-address}:8000";
              proxyWebsockets = true;
              extraConfig = ''
                proxy_ssl_server_name on;
              '';
            };
          };
          # "striped.shobu.fr" = {
          #   enableACME = true;
          #   forceSSL = true;

          #   root = "${striped-front.packages.x86_64-linux.default}/dist";
          # };
          "dashboard.shobu.fr" = {
            enableACME = true;
            forceSSL = true;

            locations."/" = {
              proxyPass = "http://${sin-address}:8082";
            };
          };
          "git.shobu.fr" = {
            enableACME = true;
            forceSSL = true;

            locations."/" = {
              proxyPass = "http://${sin-address}:3000";
            };
          };
          "files.shobu.fr" = {
            enableACME = true;
            forceSSL = true;

            extraConfig = ''
              # include ${authelia-snippets.authelia-location};
              # error_log /var/log/nginx/debug_files.log debug;
            '';

            locations."/" = {
              proxyPass = "http://${sin-address}:8086";
              extraConfig = ''
                # include ${authelia-snippets.proxy};
                # include ${authelia-snippets.authelia-authrequest};
                proxy_set_header X-Real-IP $remote_addr;
                client_max_body_size 100M;
              '';
            };
          };
          # "matrix.shobu.fr" = {
          #   forceSSL = true;
          #   enableACME = true;
          #   locations."/".extraConfig = ''
          #     return 404;
          #   '';
          #   locations."/_matrix".proxyPass = "http://${sin-address}:8008";
          #   locations."/_synapse/client".proxyPass = "http://${sin-address}:8008";
          #   locations."/.well-known/matrix/server".proxyPass = "http://${sin-address}:8008/.well-known/matrix/server";
          # };
        }
      );
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "shobu_serhao@proton.me";
  };
}