{ lib, pkgs, config, ... }: { age.secrets."pages-settings-file".file = ../../secrets/pages-settings-file.age; services.codeberg-pages = { enable = true; package = pkgs.unstable.codeberg-pages.overrideAttrs (_: { src = pkgs.fetchFromGitea { domain = "codeberg.org"; owner = "Codeberg"; repo = "pages-server"; rev = "831ce3d913015e856351dc4d3fc983ada826ef7e"; hash = "sha256-Ti9sOppHOaUU72A7Bxyfu4phJUed4m/5e9RyjmVino0="; }; patches = [ ./proxy-protocol.patch ]; vendorHash = "sha256-NHrohvZL7ie29xWpY3bO1BVWrqUywwaKAucZAwvEWto="; }); settings = { ACME_ACCEPT_TERMS = "true"; ACME_EMAIL = "acme@malka.sh"; DNS_PROVIDER = "gandiv5"; ENABLE_HTTP_SERVER = "false"; GITEA_ROOT = "https://git.luj.fr"; PORT = "8010"; PAGES_DOMAIN = "luj-static.page"; RAW_DOMAIN = "raw.luj-static.page"; PAGES_BRANCHES = "pages,main,master"; LOG_LEVEL = "trace"; USE_PROXY_PROTOCOL = "true"; }; settingsFile = config.age.secrets."pages-settings-file".path; }; networking.firewall.allowedTCPPorts = [ 8447 ]; luj.nginx.enable = true; services.nginx = { appendHttpConfig = '' set_real_ip_from 127.0.0.1; real_ip_header proxy_protocol; ''; defaultListen = [ { addr = "0.0.0.0"; port = 8446; ssl = true; proxyProtocol = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } { addr = "[::]"; port = 80; ssl = false; } ]; streamConfig = '' map $ssl_preread_server_name $sni_upstream { hostnames; default 0.0.0.0:8010; ${lib.concatMapStringsSep "\n" (vhost: " ${vhost} 0.0.0.0:8446;") ( lib.filter (e: e != "default") (lib.attrNames config.services.nginx.virtualHosts) )} } server { listen [::]:443; ssl_preread on; proxy_pass $sni_upstream; proxy_protocol on; } server { listen [::]:8447; proxy_pass 0.0.0.0:8010; } ''; defaultSSLListenPort = 8446; }; }