Home: Rewrite nginx to use nixos options.

2025-01-09 15:38:56 +03:00 · 2025-01-09 15:38:56 +03:00 · 12c84cfe51
parent 0413a97ad9
commit 12c84cfe51
26 changed files with 303 additions and 426 deletions
--- a/config/Syncthing.nix
+++ b/config/Syncthing.nix
@ -102,7 +102,7 @@ in
              };
              "dasha" = {
                path = "${cfg.dataDir}/dasha";
-                devices = allDashaDevices;
+                devices = ["home"] ++ allDashaDevices;
              };
            };
        };
--- a/host/x86_64-linux/home/Const.nix
+++ b/host/x86_64-linux/home/Const.nix
@ -1,7 +1,19 @@
 { ... }: {
  config.const.host = {
-    domain = "voronind.com";
-    sslCertificate = "/etc/letsencrypt/live/voronind.com/fullchain.pem";
-    sslCertificateKey = "/etc/letsencrypt/live/voronind.com/privkey.pem";
+    nginx = {
+      domain = "voronind.com";
+      sslCertificate = "/etc/letsencrypt/live/voronind.com/fullchain.pem";
+      sslCertificateKey = "/etc/letsencrypt/live/voronind.com/privkey.pem";
+      allowLocal = ''
+        allow 10.0.0.0/8;
+        allow fd09:8d46:b26::/48;
+        deny all;
+      '';
+      extraConfig = ''
+        listen 443 ssl;
+        include /etc/letsencrypt/conf/options-ssl-nginx.conf;
+        ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
+      '';
+    };
  };
 }
--- a/host/x86_64-linux/home/nginx/Camera.nix
+++ b/host/x86_64-linux/home/nginx/Camera.nix
@ -1,18 +1,13 @@
-{ ... }:
+{ config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "camera.voronind.com".extraConfig = ''
-    listen 443 ssl;
-
-    location / {
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-      return 301 rtsp://10.0.0.12:554/live/main;
-    }
-
-    ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-  '';
+  "camera.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations."/" = {
+      extraConfig = cfg.allowLocal;
+      return = "301 rtsp://10.0.0.12:554/live/main";
+    };
+  };
 }
--- a/host/x86_64-linux/home/nginx/Change.nix
+++ b/host/x86_64-linux/home/nginx/Change.nix
@ -1,21 +1,15 @@
-{ ... }:
+{ config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "change.voronind.com".extraConfig = ''
-    listen 443 ssl;
-
-    location / {
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-
-      proxy_pass http://127.0.0.1:5001$request_uri;
-
-      add_header Referrer-Policy 'origin';
-    }
-
-    ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-  '';
+  "change.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:5001$request_uri";
+      extraConfig = cfg.allowLocal + ''
+        add_header Referrer-Policy 'origin';
+      '';
+    };
+  };
 }
--- a/host/x86_64-linux/home/nginx/Cups.nix
+++ b/host/x86_64-linux/home/nginx/Cups.nix
@ -1,23 +1,18 @@
-{ ... }:
+{ config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "print.voronind.com".extraConfig = ''
-    listen 443 ssl;
-
-    location / {
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-
-      proxy_pass http://[::1]:631$request_uri;
-
-      proxy_set_header Host "127.0.0.1";
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
-    }
-
-    ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-  '';
+  "print.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations."/" = {
+      proxyPass = "http://[::1]:631$request_uri";
+      recommendedProxySettings = false;
+      extraConfig = cfg.allowLocal + ''
+        proxy_set_header Host "127.0.0.1";
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
+      '';
+    };
+  };
 }
--- a/host/x86_64-linux/home/nginx/Davis.nix
+++ b/host/x86_64-linux/home/nginx/Davis.nix
@ -1,16 +1,10 @@
 { config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "dav.${config.const.host.domain}" = {
-    inherit (config.const.host) sslCertificate sslCertificateKey;
-    locations."/".extraConfig = ''
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-    '';
-    extraConfig = ''
-      listen 443 ssl;
-      include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-      ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-    '';
+  "dav.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations."/".extraConfig = cfg.allowLocal;
  };
 }
--- a/host/x86_64-linux/home/nginx/Deluge.nix
+++ b/host/x86_64-linux/home/nginx/Deluge.nix
@ -1,18 +1,13 @@
 { config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "download.${config.const.host.domain}".extraConfig = ''
-    listen 443 ssl;
-
-    location / {
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-      proxy_pass http://127.0.0.1:8112$request_uri;
-    }
-
-    ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-  '';
+  "download.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8112$request_uri";
+      extraConfig = cfg.allowLocal;
+    };
+  };
 }
--- a/host/x86_64-linux/home/nginx/Forgejo.nix
+++ b/host/x86_64-linux/home/nginx/Forgejo.nix
@ -1,22 +1,16 @@
-{ ... }:
+{ config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "git.voronind.com".extraConfig = ''
-    listen 443 ssl;
-
-    location ~ ^/(admin|api|user) {
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-      proxy_pass http://[::1]:3000$request_uri;
-    }
-
-    location / {
-      proxy_pass http://[::1]:3000$request_uri;
-    }
-
-    ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-  '';
+  "git.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations = {
+      "~ ^/(admin|api|user)" = {
+        extraConfig = cfg.allowLocal;
+        proxyPass = "http://[::1]:3000$request_uri";
+      };
+      "/".proxyPass = "http://[::1]:3000$request_uri";
+    };
+  };
 }
--- a/host/x86_64-linux/home/nginx/Hass.nix
+++ b/host/x86_64-linux/home/nginx/Hass.nix
@ -1,25 +1,19 @@
-{ ... }:
+{ config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "iot.voronind.com".extraConfig = ''
-    listen 443 ssl;
-
-    location / {
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-
-      # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header Host $host;
-      proxy_http_version 1.1;
-      proxy_set_header Upgrade $http_upgrade;
-      proxy_set_header Connection "upgrade";
-
-      proxy_pass http://[::1]:8123$request_uri;
-    }
-
-    ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-  '';
+  "iot.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations."/" = {
+      proxyPass = "http://[::1]:8123$request_uri";
+      recommendedProxySettings = false;
+      extraConfig = cfg.allowLocal + ''
+        proxy_set_header Host $host;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+      '';
+    };
+  };
 }
--- a/host/x86_64-linux/home/nginx/Homer.nix
+++ b/host/x86_64-linux/home/nginx/Homer.nix
@ -1,18 +1,17 @@
-{ ... }:
+{ config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "home.voronind.com".extraConfig = ''
-    listen 443 ssl;
-
-    location / {
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-      try_files $uri $uri/index.html;
-    }
-
-    ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-  '';
+  "home.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations."/" = {
+      tryFiles = "$uri $uri/index.html";
+      extraConfig = cfg.allowLocal + ''
+        proxy_set_header Host "127.0.0.1";
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
+      '';
+    };
+  };
 }
--- a/host/x86_64-linux/home/nginx/Invidious.nix
+++ b/host/x86_64-linux/home/nginx/Invidious.nix
@ -1,28 +1,21 @@
-{ ... }:
+{ config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "yt.voronind.com".extraConfig = ''
-    listen 443 ssl;
-
-    location / {
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-
-      proxy_pass http://[::1]:3001$request_uri;
-
-      proxy_set_header X-Forwarded-For $remote_addr;
-      proxy_set_header Host $host;
-      proxy_http_version 1.1;
-      proxy_set_header Connection "";
-
-      proxy_hide_header Content-Security-Policy;
-      proxy_hide_header X-Frame-Options;
-      proxy_hide_header X-Content-Type-Options;
-    }
-
-    ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-  '';
+  "yt.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations."/" = {
+      proxyPass = "http://[::1]:3001$request_uri";
+      extraConfig = cfg.allowLocal + ''
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header Host $host;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+        proxy_hide_header Content-Security-Policy;
+        proxy_hide_header X-Frame-Options;
+        proxy_hide_header X-Content-Type-Options;
+      '';
+    };
+  };
 }
--- a/host/x86_64-linux/home/nginx/Jellyfin.nix
+++ b/host/x86_64-linux/home/nginx/Jellyfin.nix
@ -1,18 +1,13 @@
-{ ... }:
+{ config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "watch.voronind.com".extraConfig = ''
-    listen 443 ssl;
-
-    location / {
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-      proxy_pass http://[::1]:8096$request_uri;
-    }
-
-    ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-  '';
+  "watch.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations."/" = {
+      proxyPass = "http://[::1]:8096$request_uri";
+      extraConfig = cfg.allowLocal;
+    };
+  };
 }
--- a/host/x86_64-linux/home/nginx/Kavita.nix
+++ b/host/x86_64-linux/home/nginx/Kavita.nix
@ -1,18 +1,13 @@
-{ ... }:
+{ config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "read.voronind.com".extraConfig = ''
-    listen 443 ssl;
-
-    location / {
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-      proxy_pass http://[::1]:5000$request_uri;
-    }
-
-    ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-  '';
+  "read.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations."/" = {
+      proxyPass = "http://[::1]:5000$request_uri";
+      extraConfig = cfg.allowLocal;
+    };
+  };
 }
--- a/host/x86_64-linux/home/nginx/Mailserver.nix
+++ b/host/x86_64-linux/home/nginx/Mailserver.nix
@ -1,25 +1,13 @@
 { config, lib, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "mail.voronind.com" = {
+  "mail.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey;
    enableACME = false;
    forceSSL = false;
-    locations."~* \\.php(/|$)".extraConfig = lib.mkForce ''
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-
-      fastcgi_pass unix:${config.services.phpfpm.pools.roundcube.socket};
-      fastcgi_param PATH_INFO $fastcgi_path_info;
-      fastcgi_split_path_info ^(.+\.php)(/.+)$;
-      include ${config.services.nginx.package}/conf/fastcgi.conf;
-    '';
-    extraConfig = lib.mkForce ''
-      listen 443 ssl;
-
-      ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-      ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-      include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-      ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-    '';
+    extraConfig = lib.mkForce cfg.extraConfig;
+    locations."~* \\.php(/|$)".extraConfig = cfg.allowLocal;
  };
 }
--- a/host/x86_64-linux/home/nginx/OnlyOffice.nix
+++ b/host/x86_64-linux/home/nginx/OnlyOffice.nix
@ -1,18 +0,0 @@
-{ lib, ... }:
-{
-  "office.voronind.com" = {
-    locations."/".extraConfig = lib.mkForce ''
-      add_header X-Forwarded-Proto https;
-      proxy_pass http://[::1]:8000$request_uri;
-    '';
-
-    extraConfig = ''
-      listen 443 ssl;
-
-      ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-      ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-      include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-      ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-    '';
-  };
-}
--- a/host/x86_64-linux/home/nginx/Paperless.nix
+++ b/host/x86_64-linux/home/nginx/Paperless.nix
@ -1,18 +1,13 @@
-{ ... }:
+{ config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "paper.voronind.com".extraConfig = ''
-    listen 443 ssl;
-
-    location / {
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-      proxy_pass http://[::1]:28981$request_uri;
-    }
-
-    ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-  '';
+  "paper.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations."/" = {
+      proxyPass = "http://[::1]:28981$request_uri";
+      extraConfig = cfg.allowLocal;
+    };
+  };
 }
--- a/host/x86_64-linux/home/nginx/Printer.nix
+++ b/host/x86_64-linux/home/nginx/Printer.nix
@ -1,18 +1,13 @@
-{ ... }:
+{ config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "printer.voronind.com".extraConfig = ''
-    listen 443 ssl;
-
-    location / {
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-      proxy_pass http://[fd09:8d46:b26:0:9e1c:37ff:fe62:3fd5]:80$request_uri;
-    }
-
-    ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-  '';
+  "printer.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations."/" = {
+      proxyPass = "http://[fd09:8d46:b26:0:9e1c:37ff:fe62:3fd5]:80$request_uri";
+      extraConfig = cfg.allowLocal;
+    };
+  };
 }
--- a/host/x86_64-linux/home/nginx/Privatebin.nix
+++ b/host/x86_64-linux/home/nginx/Privatebin.nix
@ -1,12 +1,10 @@
-{ ... }:
+{ config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "paste.voronind.com" = {
-    extraConfig = ''
-      listen 443 ssl;
-      ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-      ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-      include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-      ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-    '';
+  "paste.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations."/".extraConfig = cfg.allowLocal;
  };
 }
--- a/host/x86_64-linux/home/nginx/Resume.nix
+++ b/host/x86_64-linux/home/nginx/Resume.nix
@ -1,18 +1,15 @@
-{ ... }:
+{ config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "resume.voronind.com".extraConfig = ''
-    server_name resume.voronind.com;
-    listen 443 ssl;
-
-    ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-
-    if ($http_accept_language ~ ru) {
-      return 301 https://git.voronind.com/voronind/resume/releases/download/latest/VoronindRu.pdf;
-    }
-
-    return 301 https://git.voronind.com/voronind/resume/releases/download/latest/VoronindEn.pdf;
-  '';
+  "resume.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations."/".extraConfig = cfg.allowLocal + ''
+      if ($http_accept_language ~ ru) {
+        return 301 https://git.voronind.com/voronind/resume/releases/download/latest/VoronindRu.pdf;
+      }
+      return 301 https://git.voronind.com/voronind/resume/releases/download/latest/VoronindEn.pdf;
+    '';
+  };
 }
--- a/host/x86_64-linux/home/nginx/Router.nix
+++ b/host/x86_64-linux/home/nginx/Router.nix
@ -1,18 +1,13 @@
-{ ... }:
+{ config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "router.voronind.com".extraConfig = ''
-    listen 443 ssl;
-
-    location / {
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-      proxy_pass http://[fd09:8d46:b26:0:9e9d:7eff:fe8e:3dc7]:80$request_uri;
-    }
-
-    ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-  '';
+  "router.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations."/" = {
+      proxyPass = "http://[fd09:8d46:b26:0:9e9d:7eff:fe8e:3dc7]:80$request_uri";
+      extraConfig = cfg.allowLocal;
+    };
+  };
 }
--- a/host/x86_64-linux/home/nginx/SearX.nix
+++ b/host/x86_64-linux/home/nginx/SearX.nix
@ -1,18 +1,13 @@
-{ ... }:
+{ config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "search.voronind.com".extraConfig = ''
-    listen 443 ssl;
-
-    location / {
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-      proxy_pass http://[::1]:34972$request_uri;
-    }
-
-    ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-  '';
+  "search.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations."/" = {
+      proxyPass = "http://[::1]:34972$request_uri";
+      extraConfig = cfg.allowLocal;
+    };
+  };
 }
--- a/host/x86_64-linux/home/nginx/Share.nix
+++ b/host/x86_64-linux/home/nginx/Share.nix
@ -1,25 +1,24 @@
-{ ... }:
+{ config, ... }:
+let
+  cfg = config.const.host.nginx;
+  root = "/storage/hot/share";
+in
 {
-  "share.voronind.com".extraConfig = ''
-    listen 443 ssl;
-
-    location ~* /$ {
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-
-      autoindex on;
-      root /storage/hot/share;
-    }
-
-    location / {
-      autoindex off;
-      root /storage/hot/share;
-    }
-
-    ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-  '';
+  "share.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations = {
+      "~* /$" = {
+        inherit root;
+        extraConfig = cfg.allowLocal + ''
+          autoindex on;
+        '';
+      };
+      "/" = {
+        inherit root;
+        extraConfig = ''
+          autoindex off;
+        '';
+      };
+    };
+  };
 }
--- a/host/x86_64-linux/home/nginx/Sync.nix
+++ b/host/x86_64-linux/home/nginx/Sync.nix
@ -1,22 +1,16 @@
-{ ... }:
+{ config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "sync.voronind.com".extraConfig = ''
-    listen 443 ssl;
-
-    location / {
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-
-      proxy_set_header Host "localhost";
-      proxy_set_header X-Forwarded-Host "localhost";
-
-      proxy_pass http://[::1]:8384$request_uri;
-    }
-
-    ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-  '';
+  "sync.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations."/" = {
+      proxyPass = "http://[::1]:8384$request_uri";
+      extraConfig = cfg.allowLocal + ''
+        proxy_set_header Host "localhost";
+        proxy_set_header X-Forwarded-Host "localhost";
+      '';
+    };
+  };
 }
--- a/host/x86_64-linux/home/nginx/Tandoor.nix
+++ b/host/x86_64-linux/home/nginx/Tandoor.nix
@ -1,23 +1,17 @@
-{ ... }:
+{ config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "craft.voronind.com".extraConfig = ''
-    listen 443 ssl;
-
-    location / {
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-
-      proxy_pass http://[::1]:33122$request_uri;
-
-      proxy_set_header Host $host;
-      proxy_set_header X-Forwarded-Host $host;
-      proxy_set_header X-Forwarded-Proto https;
-    }
-
-    ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-  '';
+  "craft.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations."/" = {
+      proxyPass = "http://[::1]:33122$request_uri";
+      extraConfig = cfg.allowLocal + ''
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+      '';
+    };
+  };
 }
--- a/host/x86_64-linux/home/nginx/UptimeKuma.nix
+++ b/host/x86_64-linux/home/nginx/UptimeKuma.nix
@ -1,18 +1,13 @@
-{ ... }:
+{ config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "status.voronind.com".extraConfig = ''
-    listen 443 ssl;
-
-    location / {
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-      proxy_pass http://[::1]:64901$request_uri;
-    }
-
-    ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-  '';
+  "status.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations."/" = {
+      proxyPass = "http://[::1]:64901$request_uri";
+      extraConfig = cfg.allowLocal;
+    };
+  };
 }
--- a/host/x86_64-linux/home/nginx/Valutwarden.nix
+++ b/host/x86_64-linux/home/nginx/Valutwarden.nix
@ -1,18 +1,13 @@
-{ ... }:
+{ config, ... }:
+let
+  cfg = config.const.host.nginx;
+in
 {
-  "pass.voronind.com".extraConfig = ''
-    listen 443 ssl;
-
-    location / {
-      allow 10.0.0.0/8;
-      allow fd09:8d46:b26::/48;
-      deny all;
-      proxy_pass http://[::1]:8001$request_uri;
-    }
-
-    ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem;
-    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
-  '';
+  "pass.${cfg.domain}" = {
+    inherit (cfg) sslCertificate sslCertificateKey extraConfig;
+    locations."/" = {
+      proxyPass = "http://[::1]:8001$request_uri";
+      extraConfig = cfg.allowLocal;
+    };
+  };
 }