container/Change.nix

@@ -1,9 +1,5 @@
 { pkgs
 , storage
-, const
-, domain
-, host
-, util
 , mkContainer
 , mkContainerConfig
 , ... } @args: let
@@ -19,7 +15,7 @@ in {
 		privateNetwork = true;
 
 		bindMounts = {
-			"/datastore" = {
+			"/var/lib/changedetection-io" = {
 				hostPath   = "${path}/data";
 				isReadOnly = false;
 			};
@@ -28,6 +24,7 @@ in {
 		config = { config, lib, pkgs, ... }: mkContainerConfig {
 			services.changedetection-io = {
 				enable = true;
+				behindProxy = true;
 			};
 		};
 	};

container/Postgres.nix

@@ -1,9 +1,7 @@
 { pkgs
 , storage
 , const
-, domain
 , host
-, util
 , mkContainer
 , mkContainerConfig
 , ... } @args: let

container/Proxy.nix

@@ -1,9 +1,9 @@
 { pkgs
 , storage
 , const
-, domain
 , host
 , util
+, domain
 , mkContainer
 , mkContainerConfig
 , ... } @args: let
@@ -48,6 +48,53 @@ in {
 				inherit virtualHosts;
 
 				enable = true;
+				recommendedOptimisation  = true;
+				recommendedProxySettings = true;
+				appendConfig = util.trimTabs ''
+					worker_processes 4;
+				'';
+				eventsConfig = util.trimTabs ''
+					worker_connections 4096;
+				'';
+				appendHttpConfig = util.trimTabs ''
+					server {
+						server_name default_server;
+						listen 80;
+
+						location / {
+							return 301 https://$host$request_uri;
+						}
+					}
+
+					map $http_accept_language $resume {
+						default https://git.${domain}/voronind/resume/releases/download/latest/voronind_en.pdf;
+						~ru     https://git.${domain}/voronind/resume/releases/download/latest/voronind_ru.pdf;
+					}
+
+					server {
+						server_name ${domain};
+						listen 443 ssl;
+
+						ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
+						ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
+						include /etc/letsencrypt/conf/options-ssl-nginx.conf;
+						ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
+
+						return 301 $resume;
+					}
+
+					server {
+						listen 443 ssl default_server;
+						server_name _;
+
+						ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
+						ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
+						include /etc/letsencrypt/conf/options-ssl-nginx.conf;
+						ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
+
+						return 403;
+					}
+				'';
 			};
 		};
 	};

container/proxy/host/Change.nix

@@ -0,0 +1,20 @@
+{ domain, util, mkServer, ... }: {
+	"change.${domain}" = mkServer {
+		extraConfig = util.trimTabs ''
+			listen 443 ssl;
+			set $change 10.1.0.41:5000;
+
+			location / {
+				allow 192.168.1.0/24;
+				allow 10.1.0.1;
+				deny all;
+				proxy_pass http://$change$request_uri;
+			}
+
+			ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
+			ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
+			include /etc/letsencrypt/conf/options-ssl-nginx.conf;
+			ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
+		'';
+	};
+}

container/proxy/host/Default.nix

@@ -0,0 +1,2 @@
+{ domain, util, mkServer, ... }: {
+}

host/desktop/Container.nix

@@ -33,12 +33,15 @@ in {
 		externalInterface = "enp4s0";
 	};
 
-	# NOTE: Remove this.
+	# TODO: Remove this.
 	networking.extraHosts = ''
 		10.1.0.2 paste.local
+		10.1.0.2 change.local
+		10.1.0.2 local
 	'';
 
 	imports = [
+		(import ../../container/Change.nix args)
 		(import ../../container/Paste.nix args)
 		(import ../../container/Postgres.nix args)
 		(import ../../container/Proxy.nix args)

host/work/Container.nix

@@ -5,6 +5,26 @@
 		host    = "192.168.0.174";
 	in {
 		inherit storage domain host pkgs const lib config util;
+
+		mkContainer = cfg: lib.recursiveUpdate cfg {
+			hostAddress = host;
+		};
+
+		mkContainerConfig = cfg: lib.recursiveUpdate cfg {
+			system.stateVersion = const.stateVersion;
+
+			users.users.root.password = "";
+			users.mutableUsers = false;
+
+			networking = {
+				useHostResolvConf = lib.mkForce false;
+				firewall.enable = false;
+			};
+		};
+
+		mkServer = cfg: lib.recursiveUpdate cfg {
+			forceSSL = false;
+		};
 	};
 in {
 	networking.nat = {