# Native nginx reverse proxy. The proxy configuration is declarative Nix:
# every proxied service is an entry under services.nginx.virtualHosts, so the
# whole routing table lives in this file and is built/version-controlled with
# the rest of the system.
#
# To add a proxied service, add another virtualHosts."<host>" entry following
# the example below. To serve it over HTTPS, uncomment enableACME + forceSSL on
# that vhost once it has a real DNS name and the ACME HTTP-01/DNS-01 challenge
# can be satisfied (see security.acme for the account/email and DNS settings).
{ ... }:
{
  services.nginx = {
    enable = true;
    recommendedProxySettings = true; # sane proxy_set_header defaults (Host, X-Forwarded-*)
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;

    virtualHosts = {
      # Example reverse-proxy vhost. Replace the name and upstream with a real
      # service (e.g. a container published by the Docker host on this machine).
      "example.lan" = {
        # enableACME = true;   # request a Let's Encrypt cert for this host
        # forceSSL = true;     # redirect HTTP -> HTTPS once the cert exists
        locations."/" = {
          proxyPass = "http://127.0.0.1:8080";
          proxyWebsockets = true; # forward Upgrade/Connection for WebSocket apps
        };
      };
    };
  };

  # Public reverse-proxy ports. 443 is opened now so flipping a vhost to TLS
  # needs no firewall change.
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
}