oddlama_nix-config/hosts/ward/guests/web-proxy.nix

{
  config,
  globals,
  ...
}:
let
  inherit (config.repo.secrets.local) acme;
  fritzboxDomain = "fritzbox.${globals.domains.personal}";
in
{
  microvm.mem = 1024 * 4; # Need more /tmp space so nginx can store intermediary files

  globals.wireguard.proxy-home.hosts.${config.node.name} = {
    firewallRuleForAll.allowedTCPPorts = [
      80
      443
    ];
    firewallRuleForAll.allowedUDPPorts = [
      443
    ];
  };

  # This node shall monitor the infrastructure
  meta.telegraf.availableMonitoringNetworks = [
    "internet"
    "home-wan"
    "home-lan.vlans.services"
  ];

  age.secrets.acme-cloudflare-dns-token = {
    rekeyFile = config.node.secretsDir + "/acme-cloudflare-dns-token.age";
    mode = "440";
    group = "acme";
  };

  age.secrets.acme-cloudflare-zone-token = {
    rekeyFile = config.node.secretsDir + "/acme-cloudflare-zone-token.age";
    mode = "440";
    group = "acme";
  };

  security.acme = {
    acceptTerms = true;
    defaults = {
      credentialFiles = {
        CF_DNS_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-dns-token.path;
        CF_ZONE_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-zone-token.path;
      };
      dnsProvider = "cloudflare";
      dnsPropagationCheck = true;
      reloadServices = [ "nginx" ];
    };
    inherit (acme) certs wildcardDomains;
  };

  services.nginx = {
    upstreams.fritzbox = {
      servers.${globals.net.home-wan.hosts.fritzbox.ipv4} = { };
      extraConfig = ''
        zone grafana 64k;
        keepalive 2;
      '';
    };
    virtualHosts.${fritzboxDomain} = {
      forceSSL = true;
      useACMEWildcardHost = true;
      locations."/" = {
        proxyPass = "http://fritzbox";
        proxyWebsockets = true;
      };
      # Allow using self-signed certs. We just want to make sure the connection
      # is over TLS.
      extraConfig = ''
        proxy_ssl_verify off;
        allow ${globals.net.home-lan.vlans.services.hosts.sausebiene.ipv4};
        allow ${globals.net.home-lan.vlans.services.hosts.sausebiene.ipv6};
        allow ${globals.net.home-lan.vlans.home.cidrv4};
        allow ${globals.net.home-lan.vlans.home.cidrv6};
        deny all;
      '';
    };
  };

  users.groups.acme.members = [ "nginx" ];
  services.nginx.enable = true;
  services.nginx.recommendedSetup = true;
}