nixfiles-emily/config/hosts/crime/nginx.nix

{ config, pkgs, lib, ... }:
let 
  landingPage = pkgs.writeTextFile {
    name = "index.html";
    text = '' 
    <!DOCTYPE html>
    <html>
    <head>
    <title>crime.kyouma.net</title>
    <style>
    body {
      width: 35em;
      margin: 0 auto;
      font-family: Tahoma, Verdana, Arial, sans-serif;
    }
    </style>
    </head>
    <body>
    <h1>Welcome to crime.kyouma.net!</h1>
    <p>If you see this page, the nginx web server is successfully installed and
    working. Further configuration is required.</p>

    <p>Sonarr
    <a href="https://crime.kyouma.net/sonarr">crime.kyouma.net/sonarr</a><br/>
    Radarr
    <a href="https://crime.kyouma.net/radarr">crime.kyouma.net/radarr</a><br/>
    Prowlarr
    <a href="https://crime.kyouma.net/prowlarr">crime.kyouma.net/prowlarr</a></p>

    <p><em>Thank you for using nginx.</em></p>
    </body>
    </html>
    '';
    destination = "/index.html";
  };
  extraConfig = ''
    add_header Strict-Transport-Security    $hsts_header;
    add_header X-Content-Type-Options       "nosniff" always;
    add_header X-XSS-Protection             "1; mode=block" always;
    add_header X-Frame-Options              "SAMEORIGIN" always;
    add_header Referrer-Policy              "same-origin" always;
  '';
  proxyConfig = ''
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Protocol $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
  '';
  jellyAddr = "[::1]";
  jellyWeb = {
    forceSSL = true;
    http3 = true;
    quic = true;
    inherit extraConfig;

    locations = {
      "= /".return = "302 https://$host/web/";
      "/" = {
        proxyPass = "http://${jellyAddr}:8096";
        extraConfig = ''
          ${proxyConfig}
          proxy_buffering on;
        '';
      };
      "= /web/" = {
        proxyPass = "http://${jellyAddr}:8096/web/index.html";
        extraConfig = proxyConfig;
      };
      "/socket" = {
        proxyPass = "http://${jellyAddr}:8096";
        proxyWebsockets = true;
        extraConfig = proxyConfig;
      };
    };
  };
in {
  services.nginx = {
    virtualHosts = {
      "fentanyl.trade" = jellyWeb // {
        enableACME = true;
      };
      "frotti.ng" = jellyWeb // {
        useACMEHost = "fentanyl.trade";
      };
    };
    createHost = {
      "watch.kyouma.net" = { redirectTo = "fentanyl.trade"; };
      "redirect" = {
        default = true;
        reuseport = true;
        useACMEHost = "fentanyl.trade";
        extraConfig = ''
          return 403;
        '';
      };
      "crime.kyouma.net" = {
        listenAddresses = [ "[2a0f:be01:0:100::1338]" ];
        locations = {
          "/".root = landingPage;
          "/sonarr/" = {
            proxyPass = "http://127.0.0.1:8989";
            recommendedProxySettings = true;
          };
          "/radarr/" = {
            proxyPass = "http://127.0.0.1:7878";
            recommendedProxySettings = true;
          };
          "/prowlarr/" = {
            proxyPass = "http://127.0.0.1:9696";
            recommendedProxySettings = true;
          };
        };
      };
    };
  };
  security.acme.certs = {
    "fentanyl.trade" = { extraDomainNames = [ "frotti.ng" "watch.kyouma.net" ]; };
    "crime.kyouma.net" = {};
  };
}