{ config, pkgs, ... }: { imports = [ ../../profiles/nginx.nix ]; systemd.services.nginx = { serviceConfig.BindReadOnlyPaths = [ "/home/asmadeus/www:/www/local" ]; }; services.nginx.virtualHosts = { "jormungand.codewreck.org" = { forceSSL = true; enableACME = true; locations."/mpd/" = { proxyPass = "http://127.0.0.1:8080/"; # /var/spool/nginx/mpd.htpasswd has been populated manually # until proper secrets get managed... extraConfig = '' auth_basic "mpd"; auth_basic_user_file /var/spool/nginx/mpd.htpasswd; ''; }; locations."/local/" = { root = "/www"; }; locations."/" = { extraConfig = '' rewrite ^ https://codewreck.org$request_uri? redirect; ''; }; }; "test.codewreck.org" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://[::1]:10000/"; extraConfig = '' proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 1800; proxy_send_timeout 1800; ''; }; }; "miniflux.codewreck.org" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://[::1]:8081/"; }; }; "matrix.codewreck.org" = { forceSSL = true; enableACME = true; locations."/".extraConfig = '' return 404; ''; locations."/_matrix" = { proxyPass = "http://[::1]:8008"; }; }; "riot.codewreck.org" = { forceSSL = true; enableACME = true; root = pkgs.element-web.override { conf = { default_server_config."m.homeserver" = { "base_url" = "https://matrix.codewreck.org"; "server_name" = "codewreck.org"; }; }; }; }; }; }