Nixconfigs/modules/servermodules/nginx.nix

rootdomain: {
  systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/logs/nginx" ];
  services.nginx.enable = true;
  services.nginx.commonHttpConfig = ''
    log_format myformat '$remote_addr - $remote_user [$time_local] '
                    '$host "$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent"';
  '';

  services.nginx.virtualHosts."default" = {
    enableACME = false;
    rejectSSL = true;
    default = true;

    locations."/" = {
      return = 404;
    };
    extraConfig = ''
      access_log /logs/nginx/nginx-access.log myformat;
    '';
  };

  services.nginx.virtualHosts."grafana.${rootdomain}" = {
    enableACME = true;
    forceSSL = true;

    locations."/" = {
      proxyPass = "http://127.0.0.1:3000";
      proxyWebsockets = true;
      recommendedProxySettings = true;
    };
    extraConfig = ''
      access_log /logs/nginx/nginx-access.log myformat;
    '';
  };

  services.nginx.virtualHosts."jellyfin.${rootdomain}" = {
    enableACME = true;
    forceSSL = true;

    locations."/" = {
      proxyPass = "http://127.0.0.1:8096";
      proxyWebsockets = true;
      recommendedProxySettings = true;
    };

    locations."/metrics" = {
      proxyPass = "http://127.0.0.1:8096/metrics";
      recommendedProxySettings = true;
      extraConfig = ''
        allow 127.0.0.1;
        allow 192.168.0.0/16;
        allow 10.0.0.0/8;
        allow 172.16.0.0/12;
        deny all;
      '';
    };

    extraConfig = ''
      access_log /logs/nginx/nginx-access.log myformat;
    '';
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "admin@${rootdomain}";
  };

  services.nginx.virtualHosts."git.${rootdomain}" = {
    enableACME = true;
    forceSSL = true;

    locations."/" = {
      proxyPass = "http://127.0.0.1:3028";
      recommendedProxySettings = true;
    };

    locations."/metrics" = {
      proxyPass = "http://127.0.0.1:3028/metrics";
      recommendedProxySettings = true;
      extraConfig = ''
        allow 127.0.0.1;
        allow 192.168.0.0/16;
        allow 10.0.0.0/8;
        allow 172.16.0.0/12;
        deny all;
      '';
    };

    extraConfig = ''
      access_log /logs/nginx/nginx-access.log myformat;
    '';
  };

  systemd.tmpfiles.rules = [
    # Type  Path           Mode    User   Group  Age  Argument
    "d /logs/nginx        0755    nginx  nginx  -    -"
  ];
}