{ config, lib, ... }: let inherit (lib) mkIf; cfg = config.bagel.services.gerrit; in { config = mkIf cfg.enable { services.nginx = { enable = true; enableReload = true; appendHttpConfig = '' add_header Permissions-Policy "interest-cohort=()"; ''; }; services.nginx.virtualHosts.gerrit = { serverName = builtins.head cfg.domains; serverAliases = builtins.tail cfg.domains; enableACME = true; forceSSL = true; extraConfig = '' location / { proxy_pass http://localhost:4778; proxy_set_header X-Forwarded-For $remote_addr; # The :443 suffix is a workaround for https://b.tvl.fyi/issues/88. proxy_set_header Host $host:443; } location = /robots.txt { return 200 'User-agent: *\nAllow: /'; } ''; }; networking.firewall.allowedTCPPorts = [ 443 80 ]; }; }