Nginx is fine, I guess. I use it to host my sites and proxy my apps. This is the default configuration, follow backlinks for site configurations.

{ pkgs, ... }:

{
  imports = [
    ./nginx-staticsites.nix
    ./wobserver-acme.nix
  ];

  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedTlsSettings = true;
    statusPage = true;
    appendHttpConfig = ''
      log_format main
                 '$host $remote_addr - $remote_user [$time_local] "$request" '
                 '$status $body_bytes_sent "$http_referer" '
                 '"$http_user_agent" "$http_x_forwarded_for"';
      access_log /var/log/nginx/access.log  main;
    '';
  };
  services.prometheus.exporters.nginx.enable = true;
  services.prometheus.exporters.nginxlog = {
    enable = true;
    group = "nginx";
    # https://github.com/martin-helmich/prometheus-nginxlog-exporter#configuration-file
    settings = {
      namespaces = [
        {
          name = "wobserver";
          format = ''$host $remote_addr - $remote_user [$time_local] "$request" '' +
                   ''$status $body_bytes_sent "$http_referer" '' + 
                   ''"$http_user_agent" "$http_x_forwarded_for"'';
          source.files = [ "/var/log/nginx/access.log" ];
          relabel_configs = [
            {
              target_label = "host";
              from = "host";
            }
          ];
        }
      ];
    };
  };
}

Certs via ACME

I use Lets Encrypt for my SSL, I really like 'em.

{ ... }:

rec {
  security.acme = {
    defaults.email = "acme@rix.si";
    acceptTerms = true;
  };

  # temporary forward hosts
  # security.acme.certs."media.whatthefuck.copmuter" = {
  #   webroot = "/var/lib/acme/acme-challenge";
  #   extraDomainNames = [
  #     "notes.whatthefuck.computer"
  #   ];
  # };
  services.nginx.virtualHosts."media.whatthefuck.computer" = {
    addSSL = true;
    sslCertificate = "/var/lib/nginx/certs/fontkeming.fail_cert.pem";
    sslCertificateKey = "/var/lib/nginx/certs/fontkeming.fail_key.pem";
  };
  services.nginx.virtualHosts."notes.whatthefuck.computer" = services.nginx.virtualHosts."media.whatthefuck.computer";

  # 'internal' hosts
  # security.acme.certs."fontkeming.fail" = {
  #   webroot = "/var/lib/acme/acme-challenge";
  #   extraDomainNames = [
  #     "home.rix.si"
  #     "dns.fontkeming.fail"
  #   ];
  # };

  # # site hosts
  # security.acme.certs."rix.si" = {
  #   webroot = "/var/lib/acme/acme-challenge";
  #   extraDomainNames = [
  #     "whatthefuck.computer" "notes.whatthefuck.computer" 
  #     "afd.fontkeming.fail" "dev.arcology.garden"
  #     "dongiverse.com" "kickass.systems"
  #     "ring.whatthefuck.computer"
  #     "lionsrear.com" "arcology.garden" "cce.arcology.garden"
  #   ];
  # };

  # # app hosts
  # security.acme.certs."files.fontkeming.fail" = {
  #   webroot = "/var/lib/acme/acme-challenge";
  #   extraDomainNames = [
  #     "code.rix.si"
  #     "bag.fontkeming.fail"
  #     "matrix.fontkeming.fail" 
  #     "dimension.fontkeming.fail"
  #   ];
  # };
}

INPROGRESS wobserver static sites

{ ... }:

{
  services.nginx.virtualHosts = {
    "fontkeming.fail".root = "/srv/static-sites/default";
    "fontkeming.fail".default = true;

    # additional home.rix.si stuff in wobserver-observability!
    "home.rix.si".root = "/srv/static-sites/default";
    "home.rix.si".locations."/fdroid".root = "/srv/fdroid/repo";

    "afd.fontkeming.fail".root = "/srv/afdsew/SEW";

    "blog.dongiverse.com".root = "/srv/static-sites/blog.dongiverse.com/_site";
    "dongiverse.com".root = "/srv/static-sites/dongiverse.com/_site";

    "kickass.systems".root = "/srv/static-sites/kickass.systems/_site";

    # see akkoma.org
    "notes.whatthefuck.computer" = {
      # root = "/srv/static-sites/notes.whatthefuck.computer/_site"; # 
      # locations."/atom.xml".proxyPass = "https://granary.io/url?url=http://notes.whatthefuck.computer/&input=html&output=atom&hub=https://bridgy-fed.superfeedr.com/";
      # locations."/rss.xml".proxyPass = "https://granary.io/url?url=http://notes.whatthefuck.computer/&input=html&output=rss&hub=https://bridgy-fed.superfeedr.com/";
    };

    "whatthefuck.computer" = {
      root = "/srv/static-sites/whatthefuck.computer/_site";
      serverAliases = ["rix.si"];
      locations."~ ^/~(.+?)(/.*)?$" = {
        alias = "/home/$1/public_html$2";
        index = "index.html index.htm";
        extraConfig = "autoindex on;";
      };
    };
  };
}

NEXT move afd.fontkeming.fail vhost to Area Forecast Discussion

DONE plumb these through on fontkeming

need to finish up Wobserver Observability to migrate home.rix.si

INPROGRESS virtualHosts

DONE fix nginx_exporter

NEXT understand where webroot is wired up

NEXT at least read the "recommended settings"

The Complete Computing Environment

Wobserver Nginx Frontends

Certs via ACME

INPROGRESS wobserver static sites

NEXT move afd.fontkeming.fail vhost to Area Forecast Discussion

DONE plumb these through on fontkeming

INPROGRESS virtualHosts

DONE fix nginx_exporter

NEXT understand where webroot is wired up

NEXT at least read the "recommended settings"

See: [ref]

Pages which Link Here

Certs via ACME

INPROGRESS wobserver static sites

NEXT move afd.fontkeming.fail vhost to Area Forecast Discussion

DONE plumb these through on fontkeming

INPROGRESS virtualHosts

DONE fix nginxexporter

NEXT understand where webroot is wired up

NEXT at least read the "recommended settings"

See: [ref]

Pages which Link Here

DONE fix nginx_exporter