diff --git a/machines/moritz-server/reverse-proxy.nix b/machines/moritz-server/reverse-proxy.nix index 8635ebe..7b09040 100644 --- a/machines/moritz-server/reverse-proxy.nix +++ b/machines/moritz-server/reverse-proxy.nix @@ -1,4 +1,4 @@ -{ +{config, ...}: { services.fail2ban = { enable = true; bantime-increment.enable = true; @@ -49,7 +49,7 @@ ''; }; - networking.firewall.allowedTCPPorts = [80 443]; + networking.firewall.allowedTCPPorts = [80 1443 443]; services.nginx = { enable = true; recommendedProxySettings = true; @@ -61,8 +61,20 @@ }; }; "moritz.foo" = { + forceSSL = true; + useACMEHost = "moritz.foo"; locations."/" = { - return = "200 'Hello World!'"; + return = "301 https://www.moritz.foo"; + }; + }; + "www.moritz.foo" = { + forceSSL = true; + useACMEHost = "any.moritz.foo"; + locations."/" = { + extraConfig = '' + add_header Content-Type text/html; + ''; + return = "200 'Hello World'"; }; }; }; @@ -76,18 +88,37 @@ } map $ssl_preread_server_name $name { - *.moritz.foo self; - moritz.foo self; - *.moritzboeh.me diskstation; - moritzboeh.me diskstation; - default diskstation; + hostnames; + .moritz.foo self; + .moritzboeh.me diskstation; } server { - listen 443; + listen 1443; ssl_preread on; proxy_pass $name; } ''; }; + + security.acme = { + acceptTerms = true; + defaults.email = "acme@moritzboeh.me"; + defaults.dnsResolver = "1.1.1.1:53"; + certs."moritz.foo" = { + dnsProvider = "cloudflare"; + group = "nginx"; + environmentFile = config.clan.core.vars.generators.acme.files.vars.path; + }; + certs."any.moritz.foo" = { + domain = "*.moritz.foo"; + dnsProvider = "cloudflare"; + group = "nginx"; + environmentFile = config.clan.core.vars.generators.acme.files.vars.path; + }; + }; + clan.core.vars.generators.acme.prompts.vars = { + persist = true; + type = "multiline"; + }; }