{ config, pkgs, ...}: { networking.firewall.allowedTCPPorts = [ 80 443 ]; services.nginx = { enable = true; package = pkgs.nginxMainline; enableReload = true; proxyResolveWhileRunning = true; resolver = { addresses = [ "[2a02:2970:1002::18]" "46.182.19.48" "[2001:1608:10:25::9249:d69b]" "84.200.70.40" ]; }; appendHttpConfig = '' server { listen turn.entr0py.de:80 default; location ^~ /.well-known/acme-challenge/ { root /var/www/letsencrypt; } } server { listen 0.0.0.0:80 default; listen [::]:80 default; location /.well-known/acme-challenge { proxy_pass http://$host$request_uri; } location / { return 301 https://$host$request_uri; } } ''; streamConfig = '' resolver [2a02:2970:1002::18] 46.182.19.48 [2001:1608:10:25::9249:d69b] 84.200.70.40 ; server { listen 0.0.0.0:443; listen [::]:443; proxy_pass $ssl_preread_server_name:443; ssl_preread on; } ''; }; }