✨ [pi4] Added initial Nginx config

hosts/pi4/default.nix

@@ -9,6 +9,7 @@
     ./hardware.nix
     ./mailserver.nix
     ./nextcloud.nix
+    ./nginx.nix
     ./podman.nix
     ./security
   ];

hosts/pi4/forgejo.nix

@@ -6,12 +6,21 @@
   ...
 }:
 let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
   domain = "beta.code.${common.domain}";
   passwordKey = "forgejo/admin-pass";
   runnerTokenKey = "forgejo/runner-token";
 in
 {
   services = {
+    nginx.virtualHosts.${domain} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString srv.HTTP_PORT}";
+      serverAliases = [ "beta.git.${common.domain}" ];
+    };
+
     forgejo = {
       enable = true;
       database.type = "postgres";

hosts/pi4/mailserver.nix

@@ -33,10 +33,14 @@ in
 
     # Use Let's Encrypt certificates. Note that this needs to set up a stripped
     # down nginx and opens port 80.
-    # certificateScheme = "acme-nginx";
+    certificateScheme = "acme-nginx";
   };
-  # security.acme.acceptTerms = true;
+
-  # security.acme.defaults.email = "security@example.com";
+  networking.firewall.allowedTCPPorts = [
+    25
+    465
+    587
+  ];
 
   services.nginx.virtualHosts.${cfg.fqdn}.listen = lib.mkForce [
     {

hosts/pi4/nginx.nix

@@ -0,0 +1,76 @@
+{
+  common,
+  ...
+}:
+let
+  domain = common.domain;
+  proxyTo = address: port: {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "${address}:${builtins.toString port}";
+  };
+  proxyLocations = locations: {
+    enableACME = true;
+    forceSSL = true;
+    inherit locations;
+  };
+  homelab = common.localIpAddr 231;
+  homelabProxy = proxyTo homelab; # TODO get homelab local ip from systems
+  redirect = subdomain: {
+    globalRedirect = if subdomain == "" then domain else "${subdomain}.${domain}";
+  };
+in
+{
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = {
+      # Beta is currently stable
+      "beta.${domain}" = redirect "";
+      "git.${domain}" = redirect "code";
+      "kitchenowl.${domain}" = redirect "grocery";
+      # Gitea
+      "code.${domain}" = homelabProxy 3000;
+      # Nextcloud
+      "nextcloud.${domain}" = proxyLocations {
+        "/".proxyPass = "${homelab}:11000";
+        "/.well-known/carddav".return = "301 /remote.php/dav";
+        "/.well-known/caldav".return = "301 /remote.php/dav";
+      };
+      # Kitchenowl
+      "grocery.${domain}" = homelabProxy 800;
+      # Actual budget
+      "budget.${domain}" = homelabProxy 5006;
+      # Uptime Kuma
+      "status.${domain}" = homelabProxy 3001;
+      # Headscale
+      "vpm.${domain}" = proxyLocations {
+        "/web".proxyPass = "${homelab}:8084";
+        "/".proxyPass = "${homelab}:8082";
+      };
+      # Headscale SmartDNS
+      "dns.${domain}" = homelabProxy 8082;
+      # FreshRSS
+      "rss.${domain}" = homelabProxy 8085;
+      # Ente backend
+      "api.ente.${domain}" = homelabProxy 8083;
+      # Ente Photos frontend
+      "ente.${domain}" = homelabProxy 3003;
+      # Ente Auth frontend
+      "mfa.${domain}" = homelabProxy 3004;
+      # Homepage / portfolio
+      "${domain}" = homelabProxy 4321;
+      # Yamtrack
+      "track.${domain}" = homelabProxy 8090;
+      # Donetick
+      "chore.${domain}" = homelabProxy 2021;
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@${domain}";
+  };
+}