{ config, lib, pkgs, ... }: { networking.firewall.allowedTCPPorts = [ 80 443 4443 ]; networking.firewall.allowedUDPPorts = [ 80 443 4443 ]; services.nginx = { enable = true; recommendedProxySettings = true; virtualHosts = { "git.ingolf-wagner.de" = { listen = [ { addr = "0.0.0.0"; port = 4443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } ]; forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://workhorse.private:3000"; }; }; "paste.ingolf-wagner.de" = { listen = [ { addr = "0.0.0.0"; port = 4443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } ]; forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://workhorse.private:8000"; }; }; #"landing.ingolf-wagner.de" = { # default = true; # listen = [ # { addr = "0.0.0.0"; port = 4443; ssl = true; } # { addr = "0.0.0.0"; port = 80; ssl = false; } # ]; # forceSSL = true; # enableACME = true; # locations."/" = { # root = "/srv/www/ingolf-wagner.de"; # }; #}; "travel.ingolf-wagner.de" = { listen = [ { addr = "0.0.0.0"; port = 4443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } ]; forceSSL = true; enableACME = true; locations."/" = { root = "/srv/www/travel"; extraConfig = '' if (-d $request_filename) { rewrite [^/]$ $scheme://$http_host$request_uri/ permanent; } ''; }; }; "tech.ingolf-wagner.de" = { listen = [ { addr = "0.0.0.0"; port = 4443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } ]; forceSSL = true; enableACME = true; locations."/" = { root = "/srv/www/tech"; extraConfig = '' if (-d $request_filename) { rewrite [^/]$ $scheme://$http_host$request_uri/ permanent; } ''; }; }; "terranix.org" = { listen = [ { addr = "0.0.0.0"; port = 4443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } ]; forceSSL = true; enableACME = true; locations."/" = { root = "/srv/www/terranix"; extraConfig = '' if (-d $request_filename) { rewrite [^/]$ $scheme://$http_host$request_uri/ permanent; } ''; }; }; "chat.ingolf-wagner.de" = { listen = [ { addr = "0.0.0.0"; port = 4443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } ]; forceSSL = true; enableACME = true; locations = { "/" = { proxyPass = "http://chat.workhorse.private"; proxyWebsockets = true; extraConfig = '' sub_filter "http://chat.ingolf-wagner.de" "https://chat.ingolf-wagner.de"; sub_filter "chat.workhorse.private" "chat.ingolf-wagner.de"; ''; }; }; }; "nextcloud.ingolf-wagner.de" = { listen = [ { addr = "0.0.0.0"; port = 4443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } ]; forceSSL = true; enableACME = true; locations = { "/" = { proxyPass = "http://nextcloud.workhorse.private"; extraConfig = '' sub_filter "http://nextcloud.ingolf-wagner.de" "https://nextcloud.ingolf-wagner.de"; sub_filter "nextcloud.workhorse.private" "nextcloud.ingolf-wagner.de"; # used for view/edit office file via Office Online Server client_max_body_size 0; ''; }; "= /.well-known/carddav" = { priority = 210; extraConfig = "return 301 $scheme://$host/remote.php/dav;"; }; "= /.well-known/caldav" = { priority = 210; extraConfig = "return 301 $scheme://$host/remote.php/dav;"; }; }; }; #"nextcloud.gaykraft.com" = { # listen = [ # { # addr = "0.0.0.0"; # port = 4443; # ssl = true; # } # { # addr = "0.0.0.0"; # port = 80; # ssl = false; # } # ]; # forceSSL = true; # enableACME = true; # locations."/" = { # proxyPass = "http://nextcloud.workhorse.private"; # extraConfig = '' # sub_filter "http://nextcloud.gaykraft.com" "https://nextcloud.gaykraft.com"; # sub_filter "nextcloud.workhorse.private" "nextcloud.gaykraft.com"; # # used for view/edit office file via Office Online Server # client_max_body_size 0; # ''; # }; #}; "seafile.gaykraft.com" = { listen = [ { addr = "0.0.0.0"; port = 4443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } ]; forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://workhorse.private:3030"; extraConfig = '' sub_filter "http://seafile.gaykraft.com" "https://seafile.gaykraft.com"; # used for view/edit office file via Office Online Server client_max_body_size 0; ''; }; }; "gaykraft.com" = { listen = [ { addr = "0.0.0.0"; port = 4443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } ]; forceSSL = true; enableACME = true; locations."/" = { root = "/srv/www/gaykraft"; }; }; }; }; services.sslh = { enable = true; listenAddress = "0.0.0.0"; port = 443; verbose = false; transparent = true; appendConfig = # json '' protocols: ( { name: "ssh"; service: "ssh"; host: "localhost"; port: "2222"; probe: "builtin"; }, { name: "ssl"; host: "localhost"; port: "4443"; probe: "builtin"; }, { name: "tinc"; host: "localhost"; port: "655"; probe: "builtin"; } ); ''; }; systemd.services."socat-proxy" = { wantedBy = [ "sslh.service" "multi-user.target" ]; after = [ "sslh.service" ]; script = '' ${pkgs.socat}/bin/socat TCP-LISTEN:2222,fork TCP:workhorse.private:2222 ''; #serviceConfig.User = "sslh"; }; }