Add nginx

modules/nixos/server/default.nix

@@ -9,5 +9,6 @@
     ./wireguard.nix
     ./headscale.nix
     ./photoprism.nix
+    ./nginx.nix
   ];
 }

modules/nixos/server/nginx.nix

@@ -7,14 +7,62 @@
   };
 
   config = lib.mkIf config.mods.server.nginx.enable {
+    # ACME won't be able to authenticate your domain
+    # if ports 80 & 443 aren't open in your firewall.
+    networking.firewall = { allowedTCPPorts = [ 443 80 ]; };
+    security.acme.defaults.email = "acme@muon.host";
+    security.acme.acceptTerms = true;
+
     services.nginx = {
+      enable = true;
+
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
       recommendedProxySettings = true;
-      virtualHosts."*.muon.host" = {
-        locations."/" = {
-          proxyPass = "http://100.112.114.27:443";
-          proxyWebsockets = true; # needed if you need to use WebSocket
-          extraConfig = "proxy_ssl_server_name on;";
+      recommendedTlsSettings = true;
+
+      # Only allow PFS-enabled ciphers with AES256
+      # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+      appendHttpConfig = ''
+        # Add HSTS header with preloading to HTTPS requests.
+        # Adding this header to HTTP requests is discouraged
+        # map $scheme $hsts_header {
+            # https   "max-age=31536000; includeSubdomains; preload";
+        # }
+        # add_header Strict-Transport-Security $hsts_header;
+
+        # Enable CSP for your services.
+        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+        # Minimize information leaked to other domains
+        add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+        # Disable embedding as a frame
+        add_header X-Frame-Options DENY;
+
+        # Prevent injection of code in other mime types (XSS Attacks)
+        add_header X-Content-Type-Options nosniff;
+
+        # This might create errors
+        # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+
+        # required when the server wants to use HTTP Authentication
+        proxy_pass_header Authorization;
+      '';
+
+      virtualHosts = let
+        base = locations: {
+          inherit locations;
+
+          forceSSL = true;
+          enableACME = true;
         };
+        proxy = port:
+          base { "/".proxyPass = "http://10.0.0.3:" + toString (port) + "/"; };
+      in {
+        # Define example.com as reverse-proxied service on 127.0.0.1:3000
+        "photos.muon.host" = proxy 2283 // { default = true; };
       };
     };
   };

modules/nixos/server/wireguard.nix

@@ -44,11 +44,17 @@
           ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o ens3 -j MASQUERADE
         '';
 
-        peers = [{ # peer0
+        peers = [
+          { # peer0
             publicKey = "MDBdADwP/SE/T9cadXB1Mup7Dr3x+l6gBFBN83BU4Dg=";
             presharedKeyFile = "/home/muon/wireguard-keys/psk-muon";
             allowedIPs = [ "10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128" ];
           }
+          { # peer1
+            publicKey = "ohf/tGV9bjDDh/i9U5+DNvFtn+Glm8Wy1ieHoPvXfCo=";
+            presharedKeyFile = "/home/muon/wireguard-keys/psk-muho";
+            allowedIPs = [ "10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128" ];
+          }
           # More peers can be added here.
         ];
       };