empyrean: Add mTLS domains for mopidy and immich

2025-03-11 02:51:42 +00:00 · 2025-03-11 02:51:42 +00:00 · 801eb9d288
commit 801eb9d288
parent d6d62d351b
1 changed files with 39 additions and 0 deletions
--- a/machine/empyrean/default.nix
+++ b/machine/empyrean/default.nix
@ -74,6 +74,45 @@
      # Home service stub domains
      "mopidy.home.ktvb.site" = service-stub;
      "jellyfin.home.ktvb.site" = service-stub;
+      # mTLS secure domains
+      "www.secure.ktvb.site" = {
+        enableACME = true;
+        forceSSL = true;
+        root = "/srv/www.secure.ktvb.site";
+        extraConfig = ''
+          # Enable mTLS
+          ssl_verify_client on;
+          ssl_client_certificate /etc/nginx/client-ca.crt;
+          index index.html;
+        '';
+      };
+      "mopidy.secure.ktvb.site" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".proxyPass = "http://10.22.20.2";
+        locations."/mopidy/ws" = {
+          proxyPass = "http://10.22.20.2";
+          extraConfig = ''
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+          '';
+        };
+        extraConfig = ''
+          # Enable mTLS
+          ssl_verify_client on;
+          ssl_client_certificate /etc/nginx/client-ca.crt;
+        '';
+      };
+      "immich.secure.ktvb.site" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".proxyPass = "http://10.22.20.8:2283";
+        extraConfig = ''
+          # enable mTLS
+          ssl_verify_client on;
+          ssl_client_certificate /etc/nginx/client-ca.crt;
+        '';
+      };
      # mirror revproxy
      "mirror.alogoulogoi.com" = {
        enableACME = true;