2022-03-10 12:51:57 +01:00
{ config , pkgs , nixpkgs , . . . }:
{
imports = [
./common.nix
] ;
security . acme . certs . " ${ config . networking . domain } " . extraDomainNames = [
" b a c k e n d . ${ config . networking . domain } "
" s e a r c h . ${ config . networking . domain } "
" s u b m i s s i o n . ${ config . networking . domain } "
] ;
services . nginx . virtualHosts = {
" s e a r c h . ${ config . networking . domain } " = {
#default = true; ## we would need cors settings supporting multiple hosts
forceSSL = true ;
useACMEHost = config . networking . domain ;
2022-03-10 16:01:44 +01:00
basicAuthFile = config . sops . secrets . " n g i n x - p a s s w d " . path ; # Required as a quick+dirty hack while the !changed! backend password is delivered from the frontend :/
# Todo: integrate LoginForm into frontend
# Later: For defence in depth
2022-03-10 12:51:57 +01:00
locations . " / " = {
proxyPass = " h t t p : / / l o c a l h o s t : 3 0 0 0 " ;
#proxyWebsockets = true;
extraConfig = " p r o x y _ p a s s _ h e a d e r A u t h o r i z a t i o n ; " ;
} ;
} ;
" b a c k e n d . ${ config . networking . domain } " = {
forceSSL = true ;
useACMEHost = config . networking . domain ;
locations . " / " = {
proxyPass = " h t t p : / / l o c a l h o s t : 4 0 0 0 " ;
extraConfig = " p r o x y _ p a s s _ h e a d e r A u t h o r i z a t i o n ; " ;
} ;
} ;
} ;
}