From 437fd67d9bcc26b2a331e0a45ced6b5e492dc702 Mon Sep 17 00:00:00 2001
From: Tigor Hutasuhut <tigor.hutasuhut@gmail.com>
Date: Sun, 24 Nov 2024 20:46:15 +0700
Subject: [PATCH] nginx: moved all reverse proxy configurations to nginx

---
 system/services/jellyfin.nix   | 23 +++++++++++++++++++++++
 system/services/kavita.nix     | 11 +++++++++++
 system/services/navidrome.nix  | 11 +++++++++++
 system/services/nginx.nix      |  1 +
 system/services/ntfy-sh.nix    | 11 +++++++++++
 system/services/photoprism.nix | 12 ++++++++++++
 system/services/syncthing.nix  | 11 +++++++++++
 7 files changed, 80 insertions(+)

diff --git a/system/services/jellyfin.nix b/system/services/jellyfin.nix
index c747212..d60599c 100644
--- a/system/services/jellyfin.nix
+++ b/system/services/jellyfin.nix
@@ -16,6 +16,20 @@ in
       chmod -R 0777 /nas/mediaserver
     '';
 
+    services.nginx.virtualHosts."${domain}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "= /metrics" = {
+          return = "403";
+        };
+        "/" = {
+          proxyPass = "http://0.0.0.0:8096";
+          proxyWebsockets = true;
+        };
+      };
+    };
+
     services.caddy.virtualHosts.${domain}.extraConfig = ''
       @public not remote_ip private_ranges
 
@@ -44,6 +58,15 @@ in
         reverse_proxy 0.0.0.0:5055
       '';
     };
+
+    services.nginx.virtualHosts.${domain-jellyseerr} = mkIf cfg.jellyseerr.enable {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://0.0.0.0:5055";
+        proxyWebsockets = true;
+      };
+    };
     services.jellyfin = {
       enable = true;
       inherit dataDir;
diff --git a/system/services/kavita.nix b/system/services/kavita.nix
index 9e0e577..d5b3c5f 100644
--- a/system/services/kavita.nix
+++ b/system/services/kavita.nix
@@ -23,6 +23,17 @@ in
     services.caddy.virtualHosts."kavita.tigor.web.id".extraConfig = ''
       reverse_proxy 0.0.0.0:${toString config.services.kavita.settings.Port}
     '';
+
+    services.nginx.virtualHosts."kavita.tigor.web.id" = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "/" = {
+          proxyPass = "http://0.0.0.0:${toString config.services.kavita.settings.Port}";
+          proxyWebsockets = true;
+        };
+      };
+    };
     services.kavita = {
       enable = true;
       tokenKeyFile = config.sops.secrets."kavita/token".path;
diff --git a/system/services/navidrome.nix b/system/services/navidrome.nix
index 828ff16..b282a22 100644
--- a/system/services/navidrome.nix
+++ b/system/services/navidrome.nix
@@ -10,6 +10,17 @@ in
       reverse_proxy 0.0.0.0:${toString config.services.navidrome.settings.Port}
     '';
 
+    services.nginx.virtualHosts."navidrome.tigor.web.id" = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "/" = {
+          proxyPass = "http://0.0.0.0:${toString config.services.navidrome.settings.Port}";
+          proxyWebsockets = true;
+        };
+      };
+    };
+
     users.groups.navidrome.members = [ user.name ];
     users.groups.${user.name}.members = [ "navidrome" ];
 
diff --git a/system/services/nginx.nix b/system/services/nginx.nix
index c5ac0e5..9deed85 100644
--- a/system/services/nginx.nix
+++ b/system/services/nginx.nix
@@ -26,6 +26,7 @@ in
       recommendedProxySettings = true;
       recommendedZstdSettings = true;
       recommendedBrotliSettings = true;
+      enableReload = true;
     };
 
     users.users.nginx.extraGroups = [ "acme" ];
diff --git a/system/services/ntfy-sh.nix b/system/services/ntfy-sh.nix
index 5a83e18..1f09554 100644
--- a/system/services/ntfy-sh.nix
+++ b/system/services/ntfy-sh.nix
@@ -18,6 +18,17 @@ lib.mkMerge [
       reverse_proxy ${listenAddress}
     '';
 
+    services.nginx.virtualHosts.${domain} = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "/" = {
+          proxyPass = "http://0.0.0.0:15150";
+          proxyWebsockets = true;
+        };
+      };
+    };
+
     services.ntfy-sh = {
       enable = true;
       settings =
diff --git a/system/services/photoprism.nix b/system/services/photoprism.nix
index 5fa8755..00c04e9 100644
--- a/system/services/photoprism.nix
+++ b/system/services/photoprism.nix
@@ -20,6 +20,18 @@ in
     services.caddy.virtualHosts.${domain}.extraConfig = ''
       reverse_proxy 0.0.0.0:${toString config.services.photoprism.port}
     '';
+
+    services.nginx.virtualHosts.${domain} = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "/" = {
+          proxyPass = "http://0.0.0.0:${toString config.services.photoprism.port}";
+          proxyWebsockets = true;
+        };
+      };
+    };
+
     sops.secrets."photoprism/admin_password" = {
       sopsFile = ../../secrets/photoprism.yaml;
     };
diff --git a/system/services/syncthing.nix b/system/services/syncthing.nix
index c5aa64c..98b2c9a 100644
--- a/system/services/syncthing.nix
+++ b/system/services/syncthing.nix
@@ -16,6 +16,17 @@ in
     services.caddy.virtualHosts."syncthing.tigor.web.id".extraConfig = ''
       reverse_proxy 0.0.0.0:8384
     '';
+
+    services.nginx.virtualHosts."syncthing.tigor.web.id" = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "/" = {
+          proxyPass = "http://0.0.0.0:8384";
+          proxyWebsockets = true;
+        };
+      };
+    };
     sops.secrets =
       let
         opts = {