Add Nginx and pict-rs configurations for enhanced web service management

Introduced separate configuration files for Nginx and pict-rs, enabling a streamlined setup for web services. The Nginx configuration includes reverse proxy settings, automatic SSL certificate generation with Let's Encrypt, and fail2ban for security. The pict-rs configuration facilitates image service management with CORS support. Updated the shared configuration to import these new files, improving modularity and maintainability of the NixOS setup.
2025-10-08 17:19:39 +02:00 · 2025-10-08 17:19:39 +02:00 · ef87fc5906
commit ef87fc5906
parent 667912e732
3 changed files with 101 additions and 42 deletions
--- a/config/nginx.nix
+++ b/config/nginx.nix
@ -0,0 +1,34 @@
+{
+  # Enable nginx
+  services.nginx = {
+    enable = true;
+
+    # Recommended settings for reverse proxy (DISABLED recommendedProxySettings for WebSocket compatibility)
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = false;  # DISABLED - was interfering with WebSocket
+    recommendedTlsSettings = true;
+  };
+
+  # Enable automatic SSL certificate generation with Let's Encrypt
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@aiolabs.dev";
+  };
+
+  # Open firewall ports
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  # Optional: Enable fail2ban for additional security
+  services.fail2ban = {
+    enable = true;
+    jails = {
+      nginx-http-auth.settings = {
+        enabled = true;
+        filter = "nginx-http-auth";
+        logpath = "/var/log/nginx/error.log";
+        backend = "systemd";
+      };
+    };
+  };
+}