nginx: moved all reverse proxy configurations to nginx

system/services/jellyfin.nix

@@ -16,6 +16,20 @@ in
       chmod -R 0777 /nas/mediaserver
     '';
 
+    services.nginx.virtualHosts."${domain}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "= /metrics" = {
+          return = "403";
+        };
+        "/" = {
+          proxyPass = "http://0.0.0.0:8096";
+          proxyWebsockets = true;
+        };
+      };
+    };
+
     services.caddy.virtualHosts.${domain}.extraConfig = ''
       @public not remote_ip private_ranges
 
@@ -44,6 +58,15 @@ in
         reverse_proxy 0.0.0.0:5055
       '';
     };
+
+    services.nginx.virtualHosts.${domain-jellyseerr} = mkIf cfg.jellyseerr.enable {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://0.0.0.0:5055";
+        proxyWebsockets = true;
+      };
+    };
     services.jellyfin = {
       enable = true;
       inherit dataDir;

system/services/kavita.nix

@@ -23,6 +23,17 @@ in
     services.caddy.virtualHosts."kavita.tigor.web.id".extraConfig = ''
       reverse_proxy 0.0.0.0:${toString config.services.kavita.settings.Port}
     '';
+
+    services.nginx.virtualHosts."kavita.tigor.web.id" = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "/" = {
+          proxyPass = "http://0.0.0.0:${toString config.services.kavita.settings.Port}";
+          proxyWebsockets = true;
+        };
+      };
+    };
     services.kavita = {
       enable = true;
       tokenKeyFile = config.sops.secrets."kavita/token".path;

system/services/navidrome.nix

@@ -10,6 +10,17 @@ in
       reverse_proxy 0.0.0.0:${toString config.services.navidrome.settings.Port}
     '';
 
+    services.nginx.virtualHosts."navidrome.tigor.web.id" = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "/" = {
+          proxyPass = "http://0.0.0.0:${toString config.services.navidrome.settings.Port}";
+          proxyWebsockets = true;
+        };
+      };
+    };
+
     users.groups.navidrome.members = [ user.name ];
     users.groups.${user.name}.members = [ "navidrome" ];
 

system/services/nginx.nix

@@ -26,6 +26,7 @@ in
       recommendedProxySettings = true;
       recommendedZstdSettings = true;
       recommendedBrotliSettings = true;
+      enableReload = true;
     };
 
     users.users.nginx.extraGroups = [ "acme" ];

system/services/ntfy-sh.nix

@@ -18,6 +18,17 @@ lib.mkMerge [
       reverse_proxy ${listenAddress}
     '';
 
+    services.nginx.virtualHosts.${domain} = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "/" = {
+          proxyPass = "http://0.0.0.0:15150";
+          proxyWebsockets = true;
+        };
+      };
+    };
+
     services.ntfy-sh = {
       enable = true;
       settings =

system/services/photoprism.nix

@@ -20,6 +20,18 @@ in
     services.caddy.virtualHosts.${domain}.extraConfig = ''
       reverse_proxy 0.0.0.0:${toString config.services.photoprism.port}
     '';
+
+    services.nginx.virtualHosts.${domain} = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "/" = {
+          proxyPass = "http://0.0.0.0:${toString config.services.photoprism.port}";
+          proxyWebsockets = true;
+        };
+      };
+    };
+
     sops.secrets."photoprism/admin_password" = {
       sopsFile = ../../secrets/photoprism.yaml;
     };

system/services/syncthing.nix

@@ -16,6 +16,17 @@ in
     services.caddy.virtualHosts."syncthing.tigor.web.id".extraConfig = ''
       reverse_proxy 0.0.0.0:8384
     '';
+
+    services.nginx.virtualHosts."syncthing.tigor.web.id" = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "/" = {
+          proxyPass = "http://0.0.0.0:8384";
+          proxyWebsockets = true;
+        };
+      };
+    };
     sops.secrets =
       let
         opts = {