Add Nginx virtualHost for Syncthing GUI

This commit configures Nginx as a reverse proxy for the Syncthing web
interface, making it accessible via syncthing.bensima.com with SSL
encryption. The configuration includes proper header forwarding and
WebSocket support for the Syncthing GUI.

Additionally, this commit explicitly opens the required firewall ports
for Syncthing's operation, including the GUI port, sync port (22000),
and discovery broadcast port (21027).

1 files changed, 19 insertions, 0 deletions

diff --git a/Omni/Cloud/Syncthing.nix b/Omni/Cloud/Syncthing.nix
index e43bc7f..7c13e6c 100644
--- a/Omni/Cloud/Syncthing.nix
+++ b/Omni/Cloud/Syncthing.nix
@@ -1,5 +1,6 @@
 {config, ...}: let
   ports = import ./Ports.nix;
+  rootDomain = config.networking.domain;
 in {
   services.syncthing = {
     enable = true;
@@ -16,4 +17,22 @@ in {
       };
     };
   };
+
+  # Configure nginx as a reverse proxy for the Syncthing GUI
+  services.nginx.virtualHosts."syncthing.${rootDomain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://localhost:${toString ports.syncthing-gui}/";
+      proxyWebsockets = true;
+      extraConfig = ''
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 600s;
+        proxy_send_timeout 600s;
+      '';
+    };
+  };
 }