{ config, ... }: let # TODO: mkVHost in { services.nginx.virtualHosts = { "www.${config.networking.domain}" = { default = true; serverAliases = [config.networking.domain]; quic = true; kTLS = true; forceSSL = true; enableACME = true; extraConfig = '' # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; ''; locations = { "/" = { root = "/srv/http/www"; index = "index.html"; tryFiles = "$uri $uri/ $uri.html =404"; }; # RFC8805 "/noc/" = { alias = "/srv/http/noc/"; }; # RFC8805 new location "/.well-known/loc/" = { root = "/srv/http/noc/"; }; "/.well-known/security.txt" = { alias = "/srv/http/security.txt"; extraConfig = '' default_type text/plain; ''; }; "/twentyyears/" = { alias = "/srv/http/twentyyears/"; }; "/.well-known/matrix/client" = { return = "200 '{\"m.homeserver\":{\"base_url\":\"https://matrix.berlin.ccc.de\"}}'"; extraConfig = '' add_header Access-Control-Allow-Origin "*"; default_type application/json; ''; }; "/.well-known/matrix/server" = { return = "200 '{\"m.server\":\"matrix.berlin.ccc.de:443\"}'"; extraConfig = '' add_header Access-Control-Allow-Origin "*"; default_type application/json; ''; }; "~ ^/~(.+?)/" = { recommendedProxySettings = true; proxyPass = "https://home.berlin.ccc.de$request_uri"; }; }; }; "staging.${config.networking.domain}" = { quic = true; kTLS = true; forceSSL = true; enableACME = true; locations."/" = { basicAuthFile = config.age.secrets.www-staging-htpasswd.path; root = "/srv/http/www-staging"; index = "index.html"; tryFiles = "$uri $uri/ $uri.html =404"; }; }; }; }