NixOS/hosts/miniserver/nginx.nix

# Do not modify this file!  It was generated by ‘nixos-generate-config’

# and may be overwritten by future invocations.  Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, ... }:
let
  localhost = "127.0.0.1";
  # workstation = "192.168.1.64";
  domain = "servidos.lat";
  shioriPort = 4368;
  flamePort = 5005;
  secretFlamePort = 5007;
  # lidarrPort = 8686;
  qbitPort = 9091;
  # prowlarrPort = 9696;
  # radarrPort = 7878;
  # sonarrPort = 8989;
  mealiePort = 9925;
  ryotPort = 8765;
  scrobblePort = 9078;
  malojaPort = 42010;
  darkwirePort = 3001;
  metatubePort = 8881;
  # bazarrPort = config.services.bazarr.listenPort;
  # kavitaPort = config.services.kavita.port;
  vaultPort = config.services.vaultwarden.config.ROCKET_PORT;
  audiobookPort = config.services.audiobookshelf.port;
  microbinPort = config.services.microbin.settings.MICROBIN_PORT;
in {
  services.nginx = {
    enable = true;
    clientMaxBodySize = "4096m";
    # recommendedTlsSettings = true;
    # recommendedGzipSettings = true;
    # recommendedOptimisation = true;
    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
    virtualHosts = let
      base = locations: {
        inherit locations;
        forceSSL = true;
        enableACME = true;
        http2 = true;
      };
      proxy = port:
        base { "/".proxyPass = "http://${localhost}:${toString port}/"; };
      # proxyArr = port:
      #   proxy port // {
      #     extraConfig = ''
      #       proxy_set_header   Host $host;
      #       proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
      #       proxy_set_header   X-Forwarded-Host $host;
      #       proxy_set_header   X-Forwarded-Proto $scheme;
      #       proxy_set_header   Upgrade $http_upgrade;
      #       proxy_set_header   Connection $http_connection;

      #       proxy_redirect     off;
      #       proxy_http_version 1.1;
      #     '';
      #   };
    in {
      # "movies.${domain}" = proxyArr radarrPort // { };
      # "indexer.${domain}" = proxyArr prowlarrPort // { };
      # "music.${domain}" = proxyArr lidarrPort // { };
      # "library.${domain}" = proxy kavitaPort // { };
      "start.${domain}" = proxy flamePort // { };
      # "subs.${domain}" = proxy bazarrPort // { };
      # "series.${domain}" = proxy sonarrPort // { };
      "vault.${domain}" = proxy vaultPort // { };
      "copy.${domain}" = proxy microbinPort // { };
      "mealie.${domain}" = proxy mealiePort // { };
      "tracker.${domain}" = proxy ryotPort // { };
      "scrobble.${domain}" = proxy scrobblePort // { };
      "maloja.${domain}" = proxy malojaPort // { };
      "bookmarks.${domain}" = proxy shioriPort // { };
      "bajameesta.${domain}" = proxy metatubePort // { };
      "qampqwn4wprhqny8h8zj.${domain}" = proxy secretFlamePort // { };
      "xfwmrle6h6skqujbeizw.${domain}" = proxy qbitPort // { };
      "audiobooks.${domain}" = base {
        "/" = {
          proxyPass = "http://${localhost}:${toString audiobookPort}";
          extraConfig = ''
            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host              $host;
            proxy_set_header Upgrade           $http_upgrade;
            proxy_set_header Connection        "upgrade";

            proxy_http_version                  1.1;

            proxy_redirect                      http:// https://;
          '';
        };
      };
      "dontcancelmeplz.${domain}" = base {
        "/" = {
          proxyPass = "http://${localhost}:${toString darkwirePort}";
          proxyWebsockets = true;
          extraConfig = ''
            # Ensuring it can use websockets
            proxy_set_header   Upgrade $http_upgrade;
            proxy_set_header   Connection "upgrade";
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Proto http;
            proxy_redirect     http:// $scheme://;

            # The proxy must preserve the host because gotify verifies the host with the origin
            # for WebSocket connections
            proxy_set_header   Host $host;

            # These sets the timeout so that the websocket can stay alive
            proxy_connect_timeout   1m;
            proxy_send_timeout      1m;
            proxy_read_timeout      1m;
          '';
        };
      };

    };
  };
  networking = {
    firewall = let open_firewall_ports = [ 80 443 ];
    in {
      enable = true;
      allowedTCPPorts = open_firewall_ports;
      allowedUDPPorts = open_firewall_ports;
    };
  };
}