diff --git a/hosts/plover/modules/services/gitea.nix b/hosts/plover/modules/services/gitea.nix index 4e984f43..62197513 100644 --- a/hosts/plover/modules/services/gitea.nix +++ b/hosts/plover/modules/services/gitea.nix @@ -174,6 +174,9 @@ in locations."/" = { proxyPass = "http://localhost:${toString config.services.gitea.settings.server.HTTP_PORT}"; }; + extraConfig = '' + proxy_cache ${config.services.nginx.proxyCachePath.apps.keysZoneName}; + ''; }; # Configuring fail2ban for this service which thankfully has a dedicated page diff --git a/hosts/plover/modules/services/nginx.nix b/hosts/plover/modules/services/nginx.nix index 26bb3a11..89a94504 100644 --- a/hosts/plover/modules/services/nginx.nix +++ b/hosts/plover/modules/services/nginx.nix @@ -17,10 +17,25 @@ recommendedProxySettings = true; recommendedTlsSettings = true; + proxyCachePath.apps = { + enable = true; + keysZoneName = "apps"; + }; + + appendConfig = '' + worker_processes auto; + ''; + # We're avoiding any service to be the default server especially that it # could be used for enter a service with unencrypted HTTP. So we're setting # up one with an unresponsive server response. appendHttpConfig = '' + # https://docs.nginx.com/nginx/admin-guide/content-cache/content-caching/ + proxy_cache_min_uses 5; + proxy_cache_valid 200 302 10m; + proxy_cache_valid 404 1m; + proxy_no_cache $http_pragma $http_authorization; + server { listen 80 default_server; listen [::]:80 default_server; diff --git a/hosts/plover/modules/services/vaultwarden.nix b/hosts/plover/modules/services/vaultwarden.nix index 3a06b6f5..9928e46e 100644 --- a/hosts/plover/modules/services/vaultwarden.nix +++ b/hosts/plover/modules/services/vaultwarden.nix @@ -154,6 +154,9 @@ in proxyWebsockets = true; }; }; + extraConfig = '' + proxy_cache ${config.services.nginx.proxyCachePath.apps.keysZoneName}; + ''; }; # Configuring fail2ban for this service which thankfully has a dedicated page