beherbergung/deployment/modules/nginx/beherbergung.nix

37 lines
1.3 KiB
Nix

{ config, pkgs, nixpkgs, ... }:
{
imports = [
./common.nix
];
security.acme.certs."${config.networking.domain}".extraDomainNames = [
"backend.${config.networking.domain}"
"search.${config.networking.domain}"
"submission.${config.networking.domain}"
];
services.nginx.virtualHosts = {
"search.${config.networking.domain}" = {
#default = true; ## we would need cors settings supporting multiple hosts
forceSSL = true;
useACMEHost = config.networking.domain;
basicAuthFile = config.sops.secrets."nginx-passwd".path; # Required as a quick+dirty hack while the !changed! backend password is delivered from the frontend :/
# Todo: integrate LoginForm into frontend
# Later: For defence in depth
locations."/" = {
proxyPass = "http://localhost:3000";
#proxyWebsockets = true;
extraConfig = "proxy_pass_header Authorization;";
};
};
"backend.${config.networking.domain}" = {
forceSSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
proxyPass = "http://localhost:4000";
extraConfig = "proxy_pass_header Authorization;";
};
};
};
}