From f039e4af1b0b7fcb15ce757b3c28802db419407b Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@hoyer.xyz>
Date: Wed, 25 Mar 2026 11:18:02 +0100
Subject: [PATCH] feat(attic): enable HTTPS and configure Nginx with ACME

- Allow TCP ports 80 and 443 in the firewall for HTTP and HTTPS traffic.
- Enable Nginx with ACME integration for automatic SSL certificate management.
- Configure a virtual host with proxy settings and support for WebSocket traffic.
---
 systems/x86_64-linux/attic/default.nix | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/systems/x86_64-linux/attic/default.nix b/systems/x86_64-linux/attic/default.nix
index e6658e5..40148d6 100644
--- a/systems/x86_64-linux/attic/default.nix
+++ b/systems/x86_64-linux/attic/default.nix
@@ -44,9 +44,31 @@
     address = [ "2a01:4f9:c014:619::1/64" ];
     routes = [{ Gateway = "fe80::1"; }];
   };
-  networking.firewall.allowedTCPPorts = [ 8080 ];
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
   networking.firewall.allowPing = true;
 
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "harald@hoyer.xyz";
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts."attic.teepot.org" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://[::1]:8080";
+        proxyWebsockets = true;
+        extraConfig = ''
+          client_max_body_size 0;
+        '';
+      };
+    };
+  };
+
   powerManagement.cpuFreqGovernor = "ondemand";
 
   system.stateVersion = "25.11";