4 files changed, 76 insertions, 75 deletions

diff --git a/machines/nixos/x86_64-linux/do-rproxy/default.nix b/machines/nixos/x86_64-linux/do-rproxy/default.nix
index 159c4fd..e187bd2 100644
--- a/machines/nixos/x86_64-linux/do-rproxy/default.nix
+++ b/machines/nixos/x86_64-linux/do-rproxy/default.nix
@@ -33,7 +33,7 @@
     "${self}/profiles/network/fail2ban.nix"
     "${self}/profiles/services/podman.nix"
     "${self}/profiles/programs/fish.nix"
-    ./profiles/caddy.nix
+    ./profiles/nginx.nix
   ];
 
   # do not use DHCP, as DigitalOcean provisions IPs using cloud-init
diff --git a/machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix b/machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix
deleted file mode 100644
index c39a1ec..0000000
--- a/machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix
+++ /dev/null
@@ -1,72 +0,0 @@
-{ config, ... }:
-{
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "franck@fcuny.net";
-    certs = {
-      "code.fcuny.net" = {
-        domain = "code.fcuny.net";
-        dnsProvider = "cloudflare";
-        dnsResolver = "1.1.1.1";
-        reloadServices = [ "caddy.service" ];
-        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-caddy".path;
-      };
-      "go.fcuny.net" = {
-        domain = "go.fcuny.net";
-        dnsProvider = "cloudflare";
-        dnsResolver = "1.1.1.1";
-        reloadServices = [ "caddy.service" ];
-        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-caddy".path;
-      };
-      "id.fcuny.net" = {
-        domain = "id.fcuny.net";
-        dnsProvider = "cloudflare";
-        dnsResolver = "1.1.1.1";
-        reloadServices = [ "caddy.service" ];
-        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-caddy".path;
-      };
-    };
-  };
-
-  services.caddy = {
-    enable = true;
-    email = "franck@fcuny.net";
-    globalConfig = ''
-      metrics {
-        per_host
-      }
-      admin :2019 {
-        origins 127.0.0.1 10.100.0.0/24
-      }
-    '';
-    virtualHosts = {
-      forgejo = {
-        hostName = "code.fcuny.net";
-        useACMEHost = "code.fcuny.net";
-        extraConfig = ''
-          respond /metrics 403
-          reverse_proxy 10.100.0.40:3000
-        '';
-      };
-      go = {
-        hostName = "go.fcuny.net";
-        useACMEHost = "go.fcuny.net";
-        extraConfig = ''
-          reverse_proxy 10.100.0.40:8070
-        '';
-      };
-      auth = {
-        hostName = "id.fcuny.net";
-        useACMEHost = "id.fcuny.net";
-        extraConfig = ''
-          reverse_proxy 10.100.0.40:8080
-        '';
-      };
-    };
-  };
-}
diff --git a/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix b/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix
new file mode 100644
index 0000000..fc273b7
--- /dev/null
+++ b/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix
@@ -0,0 +1,73 @@
+{ config, ... }:
+{
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "franck@fcuny.net";
+    certs = {
+      "code.fcuny.net" = {
+        dnsProvider = "cloudflare";
+        dnsResolver = "1.1.1.1";
+        reloadServices = [ "nginx.service" ];
+        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
+      };
+      "go.fcuny.net" = {
+        dnsProvider = "cloudflare";
+        dnsResolver = "1.1.1.1";
+        reloadServices = [ "nginx.service" ];
+        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
+      };
+      "id.fcuny.net" = {
+        dnsProvider = "cloudflare";
+        dnsResolver = "1.1.1.1";
+        reloadServices = [ "nginx.service" ];
+        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
+      };
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+    virtualHosts = {
+      "code.fcuny.net" = {
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://10.100.0.40:3000";
+        };
+        locations."/metrics" = {
+          proxyPass = "http://10.100.0.40:3000/metrics";
+          extraConfig = ''
+            deny all;
+            access_log off;
+          '';
+        };
+      };
+      "go.fcuny.net" = {
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://10.100.0.40:8070";
+        };
+      };
+      "id.fcuny.net" = {
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://10.100.0.40:8080";
+        };
+      };
+    };
+  };
+}
diff --git a/machines/nixos/x86_64-linux/do-rproxy/secrets.nix b/machines/nixos/x86_64-linux/do-rproxy/secrets.nix
index e2444e2..8711666 100644
--- a/machines/nixos/x86_64-linux/do-rproxy/secrets.nix
+++ b/machines/nixos/x86_64-linux/do-rproxy/secrets.nix
@@ -2,8 +2,8 @@
 {
   age = {
     secrets = {
-      cloudflare-caddy = {
-        file = "${self}/secrets/cloudflare-caddy.age";
+      cloudflare-nginx = {
+        file = "${self}/secrets/cloudflare-nginx.age";
       };
       wireguard = {
         file = "${self}/secrets/do/wireguard.age";