Original commit

modules/servermodules/nginx.nix

@@ -0,0 +1,76 @@
+{ rootdomain }:
+{
+  systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/logs/nginx" ];
+  services.nginx.enable = true;
+  services.nginx.commonHttpConfig = ''
+      log_format myformat '$remote_addr - $remote_user [$time_local] '
+                      '$host "$request" $status $body_bytes_sent '
+                      '"$http_referer" "$http_user_agent"';
+      '';
+
+  services.nginx.virtualHosts."default" = {
+      enableACME = false;
+      rejectSSL = true;
+      default = true;
+
+      locations."/" = {
+        return = 404;
+      };
+      extraConfig = ''
+        access_log /logs/nginx/nginx-access.log myformat;
+      '';
+  };
+
+
+  services.nginx.virtualHosts."grafana.${rootdomain}" = {
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:3000";
+        proxyWebsockets = true;
+        recommendedProxySettings = true;
+      };
+      extraConfig = ''
+        access_log /logs/nginx/nginx-access.log myformat;
+      '';
+  };
+
+  services.nginx.virtualHosts."jellyfin.${rootdomain}" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8096";
+      proxyWebsockets = true;
+      recommendedProxySettings = true;
+    };
+
+    locations."/metrics" = {
+      proxyPass = "http://127.0.0.1:8096/metrics";
+      recommendedProxySettings = true;
+      extraConfig = ''
+      allow 127.0.0.1;
+      allow 192.168.0.0/16;
+      allow 10.0.0.0/8;
+      allow 172.16.0.0/12;
+      deny all;
+      '';
+    };
+
+    extraConfig = ''
+      access_log /logs/nginx/nginx-access.log myformat;
+    '';
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@${rootdomain}";
+  };
+
+  systemd.tmpfiles.rules = [
+  # Type  Path           Mode    User   Group  Age  Argument
+  "d /logs/nginx        0755    nginx  nginx  -    -"
+  ]
+}
+