split webconfig into each service file

2022-12-17 00:52:48 +00:00
parent 3e1340ed61
commit 1e0c213adf
17 changed files with 274 additions and 266 deletions
--- a/hosts/servo/default.nix
+++ b/hosts/servo/default.nix
@@ -15,8 +15,6 @@
  ];
  sane.impermanence.enable = true;
  # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
  sane.services.nixserve.enable = true;
  sane.services.nixserve.sopsFile = ../../secrets/servo.yaml;
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
--- a/hosts/servo/services/default.nix
+++ b/hosts/servo/services/default.nix
@@ -13,6 +13,7 @@
    ./kiwix-serve.nix
    ./matrix
    ./navidrome.nix
    ./nixserve.nix
    ./nginx.nix
    ./pleroma.nix
    ./postfix.nix
--- a/hosts/servo/services/ejabberd.nix
+++ b/hosts/servo/services/ejabberd.nix
@@ -34,6 +34,17 @@
    "vjid.xmpp.uninsane.org"
  ];
  # exists so the XMPP server's cert can obtain altNames for all its resources
  services.nginx.virtualHosts."pubsub.xmpp.uninsane.org" = {
    useACMEHost = "uninsane.org";
  };
  services.nginx.virtualHosts."upload.xmpp.uninsane.org" = {
    useACMEHost = "uninsane.org";
  };
  services.nginx.virtualHosts."vjid.xmpp.uninsane.org" = {
    useACMEHost = "uninsane.org";
  };
  # TODO: allocate UIDs/GIDs ?
  services.ejabberd.enable = true;
  services.ejabberd.configFile = builtins.toFile "ejabberd.yaml" ''
--- a/hosts/servo/services/freshrss.nix
+++ b/hosts/servo/services/freshrss.nix
@@ -49,4 +49,11 @@
  # the default ("*:0/5") is to run every 5 minutes.
  # `systemctl list-timers` to show
  systemd.services.freshrss-updater.startAt = lib.mkForce "*:3/30";
  services.nginx.virtualHosts."rss.uninsane.org" = {
    addSSL = true;
    enableACME = true;
    # inherit kTLS;
    # the routing is handled by services.freshrss.virtualHost
  };
 }
--- a/hosts/servo/services/gitea.nix
+++ b/hosts/servo/services/gitea.nix
@@ -72,4 +72,16 @@
      "/var/lib/gitea"
    ];
  };
  # hosted git (web view and for `git <cmd>` use
  # TODO: enable publog?
  services.nginx.virtualHosts."git.uninsane.org" = {
    forceSSL = true;  # gitea complains if served over a different protocol than its config file says
    enableACME = true;
    # inherit kTLS;
    locations."/" = {
      proxyPass = "http://127.0.0.1:3000";
    };
  };
 }
--- a/hosts/servo/services/goaccess.nix
+++ b/hosts/servo/services/goaccess.nix
@@ -43,4 +43,24 @@
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
  };
  # server statistics
  services.nginx.virtualHosts."sink.uninsane.org" = {
    addSSL = true;
    enableACME = true;
    # inherit kTLS;
    root = "/var/lib/uninsane/sink";
    locations."/ws" = {
      proxyPass = "http://127.0.0.1:7890";
      # XXX not sure how much of this is necessary
      extraConfig = ''
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_buffering off;
        proxy_read_timeout 7d;
      '';
    };
  };
 }
--- a/hosts/servo/services/ipfs.nix
+++ b/hosts/servo/services/ipfs.nix
@@ -18,6 +18,22 @@ lib.mkIf false # i don't actively use ipfs anymore
  networking.firewall.allowedTCPPorts = [ 4001 ];
  networking.firewall.allowedUDPPorts = [ 4001 ];
  services.nginx.virtualHosts."ipfs.uninsane.org" = {
    # don't default to ssl upgrades, since this may be dnslink'd from a different domain.
    # ideally we'd disable ssl entirely, but some places assume it?
    addSSL = true;
    enableACME = true;
    # inherit kTLS;
    locations."/" = {
      proxyPass = "http://127.0.0.1:8080";
      extraConfig = ''
        proxy_set_header Host $host;
        proxy_set_header X-Ipfs-Gateway-Prefix "";
      '';
    };
  };
  # services.ipfs.enable = true;
  services.kubo.localDiscovery = true;
  services.kubo.settings = {
--- a/hosts/servo/services/jackett.nix
+++ b/hosts/servo/services/jackett.nix
@@ -15,5 +15,16 @@
    # patch jackett to listen on the public interfaces
    # ExecStart = lib.mkForce "${pkgs.jackett}/bin/Jackett --NoUpdates --DataFolder /var/lib/jackett/.config/Jackett --ListenPublic";
  };
  # jackett torrent search
  services.nginx.virtualHosts."jackett.uninsane.org" = {
    forceSSL = true;
    enableACME = true;
    # inherit kTLS;
    locations."/" = {
      # proxyPass = "http://ovpns.uninsane.org:9117";
      proxyPass = "http://10.0.1.6:9117";
    };
  };
 }
--- a/hosts/servo/services/jellyfin.nix
+++ b/hosts/servo/services/jellyfin.nix
@@ -1,5 +1,8 @@
-{ config, ... }:
+{ config, lib, ... }:
 # TODO: re-enable after migrating media dir to /var/lib/uninsane/media
 # else it's too spammy
 lib.mkIf false
 {
  networking.firewall.allowedUDPPorts = [
    1900 7359 # DLNA: https://jellyfin.org/docs/general/networking/index.html
@@ -9,9 +12,56 @@
    { user = "jellyfin"; group = "jellyfin"; directory = "/var/lib/jellyfin"; }
  ];
  # Jellyfin multimedia server
  # this is mostly taken from the official jellfin.org docs
  services.nginx.virtualHosts."jelly.uninsane.org" = {
    addSSL = true;
    enableACME = true;
    # inherit kTLS;
    locations."/" = {
      proxyPass = "http://127.0.0.1:8096";
      extraConfig = ''
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
      '';
    };
    # locations."/web/" = {
    #   proxyPass = "http://127.0.0.1:8096/web/index.html";
    #   extraConfig = ''
    #     proxy_set_header Host $host;
    #     proxy_set_header X-Real-IP $remote_addr;
    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #     proxy_set_header X-Forwarded-Proto $scheme;
    #     proxy_set_header X-Forwarded-Protocol $scheme;
    #     proxy_set_header X-Forwarded-Host $http_host;
    #   '';
    # };
    locations."/socket" = {
      proxyPass = "http://127.0.0.1:8096";
      extraConfig = ''
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
      '';
    };
  };
  # users.users.jellyfin.uid = config.sane.allocations.jellyfin-uid;
  # users.groups.jellyfin.gid = config.sane.allocations.jellyfin-gid;
-  # TODO: re-enable after migrating media dir to /var/lib/uninsane/media
+  services.jellyfin.enable = true;
  # else it's too spammy
  # services.jellyfin.enable = true;
 }
--- a/hosts/servo/services/kiwix-serve.nix
+++ b/hosts/servo/services/kiwix-serve.nix
@@ -5,4 +5,11 @@
    port = 8013;
    zimPaths = [ "/var/lib/uninsane/www-archive/wikipedia_en_all_maxi_2022-05.zim" ];
  };
  services.nginx.virtualHosts."w.uninsane.org" = {
    forceSSL = true;
    enableACME = true;
    # inherit kTLS;
    locations."/".proxyPass = "http://127.0.0.1:8013";
  };
 }
--- a/hosts/servo/services/matrix/default.nix
+++ b/hosts/servo/services/matrix/default.nix
@@ -1,6 +1,6 @@
 # docs: https://nixos.wiki/wiki/Matrix
 # docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-synapse
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 {
  imports = [
@@ -77,6 +77,50 @@
  # create a token with limited uses:
  #   curl -d '{ "uses_allowed": 1 }' --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens/new
  # matrix chat server
  # TODO: was `publog`
  services.nginx.virtualHosts."matrix.uninsane.org" = {
    addSSL = true;
    enableACME = true;
    # inherit kTLS;
    # TODO colin: replace this with something helpful to the viewer
    # locations."/".extraConfig = ''
    #   return 404;
    # '';
    locations."/" = {
      proxyPass = "http://127.0.0.1:8008";
    };
    # redirect browsers to the web client.
    # i don't think native matrix clients ever fetch the root.
    # ideally this would be put behind some user-agent test though.
    locations."= /" = {
      return = "301 https://web.matrix.uninsane.org";
    };
    # locations."/_matrix" = {
    #   proxyPass = "http://127.0.0.1:8008";
    # };
  };
  # matrix web client
  # docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-element-web
  services.nginx.virtualHosts."web.matrix.uninsane.org" = {
    forceSSL = true;
    enableACME = true;
    # inherit kTLS;
    root = pkgs.element-web.override {
      conf = {
        default_server_config."m.homeserver" = {
          "base_url" = "https://matrix.uninsane.org";
          "server_name" = "uninsane.org";
        };
      };
    };
  };
  sops.secrets.matrix_synapse_secrets = {
    sopsFile = ../../../../secrets/servo.yaml;
--- a/hosts/servo/services/navidrome.nix
+++ b/hosts/servo/services/navidrome.nix
@@ -14,4 +14,11 @@
    AutoImportPlaylists = false;
    ScanSchedule = "@every 1h";
  };
  services.nginx.virtualHosts."music.uninsane.org" = {
    forceSSL = true;
    enableACME = true;
    # inherit kTLS;
    locations."/".proxyPass = "http://127.0.0.1:4533";
  };
 }
--- a/hosts/servo/services/nginx.nix
+++ b/hosts/servo/services/nginx.nix
@@ -9,7 +9,7 @@ let
    '';
  };
-  kTLS = true;  # in-kernel TLS for better perf
+  # kTLS = true;  # in-kernel TLS for better perf
 in
 {
@@ -48,7 +48,7 @@ in
    # and things don't look right. so force SSL.
    forceSSL = true;
    enableACME = true;
-    inherit kTLS;
+    # inherit kTLS;
    # for OCSP stapling
    sslTrustedCertificate = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
@@ -96,263 +96,6 @@ in
    # };
  };
  # server statistics
  services.nginx.virtualHosts."sink.uninsane.org" = {
    addSSL = true;
    enableACME = true;
    inherit kTLS;
    root = "/var/lib/uninsane/sink";
    locations."/ws" = {
      proxyPass = "http://127.0.0.1:7890";
      # XXX not sure how much of this is necessary
      extraConfig = ''
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_buffering off;
        proxy_read_timeout 7d;
      '';
    };
  };
  # Pleroma server and web interface
  services.nginx.virtualHosts."fed.uninsane.org" = publog {
    forceSSL = true;  # pleroma redirects to https anyway
    enableACME = true;
    inherit kTLS;
    locations."/" = {
      proxyPass = "http://127.0.0.1:4000";
      # documented: https://git.pleroma.social/pleroma/pleroma/-/blob/develop/installation/pleroma.nginx
      extraConfig = ''
        # XXX colin: this block is in the nixos examples: i don't understand all of it
        add_header 'Access-Control-Allow-Origin' '*' always;
        add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always;
        add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always;
        add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always;
        if ($request_method = OPTIONS) {
            return 204;
        }
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header Referrer-Policy same-origin;
        add_header X-Download-Options noopen;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        # proxy_set_header Host $http_host;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # colin: added this due to Pleroma complaining in its logs
        # proxy_set_header X-Real-IP $remote_addr;
        # proxy_set_header X-Forwarded-Proto $scheme;
        client_max_body_size 16m;
      '';
    };
  };
  # transmission web client
  services.nginx.virtualHosts."bt.uninsane.org" = {
    # basicAuth is literally cleartext user/pw, so FORCE this to happen over SSL
    forceSSL = true;
    enableACME = true;
    inherit kTLS;
    locations."/" = {
      # proxyPass = "http://ovpns.uninsane.org:9091";
      proxyPass = "http://10.0.1.6:9091";
    };
  };
  # jackett torrent search
  services.nginx.virtualHosts."jackett.uninsane.org" = {
    forceSSL = true;
    enableACME = true;
    inherit kTLS;
    locations."/" = {
      # proxyPass = "http://ovpns.uninsane.org:9117";
      proxyPass = "http://10.0.1.6:9117";
    };
  };
  # matrix chat server
  services.nginx.virtualHosts."matrix.uninsane.org" = publog {
    addSSL = true;
    enableACME = true;
    inherit kTLS;
    # TODO colin: replace this with something helpful to the viewer
    # locations."/".extraConfig = ''
    #   return 404;
    # '';
    locations."/" = {
      proxyPass = "http://127.0.0.1:8008";
    };
    # redirect browsers to the web client.
    # i don't think native matrix clients ever fetch the root.
    # ideally this would be put behind some user-agent test though.
    locations."= /" = {
      return = "301 https://web.matrix.uninsane.org";
    };
    # locations."/_matrix" = {
    #   proxyPass = "http://127.0.0.1:8008";
    # };
  };
  # matrix web client
  # docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-element-web
  services.nginx.virtualHosts."web.matrix.uninsane.org" = {
    forceSSL = true;
    enableACME = true;
    inherit kTLS;
    root = pkgs.element-web.override {
      conf = {
        default_server_config."m.homeserver" = {
          "base_url" = "https://matrix.uninsane.org";
          "server_name" = "uninsane.org";
        };
      };
    };
  };
  # hosted git (web view and for `git <cmd>` use
  services.nginx.virtualHosts."git.uninsane.org" = publog {
    forceSSL = true;  # gitea complains if served over a different protocol than its config file says
    enableACME = true;
    inherit kTLS;
    locations."/" = {
      proxyPass = "http://127.0.0.1:3000";
    };
  };
  # Jellyfin multimedia server
  # this is mostly taken from the official jellfin.org docs
  services.nginx.virtualHosts."jelly.uninsane.org" = {
    addSSL = true;
    enableACME = true;
    inherit kTLS;
    locations."/" = {
      proxyPass = "http://127.0.0.1:8096";
      extraConfig = ''
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
      '';
    };
    # locations."/web/" = {
    #   proxyPass = "http://127.0.0.1:8096/web/index.html";
    #   extraConfig = ''
    #     proxy_set_header Host $host;
    #     proxy_set_header X-Real-IP $remote_addr;
    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #     proxy_set_header X-Forwarded-Proto $scheme;
    #     proxy_set_header X-Forwarded-Protocol $scheme;
    #     proxy_set_header X-Forwarded-Host $http_host;
    #   '';
    # };
    locations."/socket" = {
      proxyPass = "http://127.0.0.1:8096";
      extraConfig = ''
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
      '';
    };
  };
  services.nginx.virtualHosts."music.uninsane.org" = {
    forceSSL = true;
    enableACME = true;
    inherit kTLS;
    locations."/".proxyPass = "http://127.0.0.1:4533";
  };
  services.nginx.virtualHosts."w.uninsane.org" = {
    forceSSL = true;
    enableACME = true;
    inherit kTLS;
    locations."/".proxyPass = "http://127.0.0.1:8013";
  };
  services.nginx.virtualHosts."rss.uninsane.org" = {
    addSSL = true;
    enableACME = true;
    inherit kTLS;
    # the routing is handled by freshrss.nix
  };
  services.nginx.virtualHosts."ipfs.uninsane.org" = {
    # don't default to ssl upgrades, since this may be dnslink'd from a different domain.
    # ideally we'd disable ssl entirely, but some places assume it?
    addSSL = true;
    enableACME = true;
    inherit kTLS;
    locations."/" = {
      proxyPass = "http://127.0.0.1:8080";
      extraConfig = ''
        proxy_set_header Host $host;
        proxy_set_header X-Ipfs-Gateway-Prefix "";
      '';
    };
  };
  # exists only to manage certs for dovecot
  services.nginx.virtualHosts."imap.uninsane.org" = {
    enableACME = true;
  };
  # exists only to manage certs for Postfix
  services.nginx.virtualHosts."mx.uninsane.org" = {
    enableACME = true;
  };
  # exists so the XMPP server's cert can obtain altNames for all its resources
  services.nginx.virtualHosts."pubsub.xmpp.uninsane.org" = {
    useACMEHost = "uninsane.org";
  };
  services.nginx.virtualHosts."upload.xmpp.uninsane.org" = {
    useACMEHost = "uninsane.org";
  };
  services.nginx.virtualHosts."vjid.xmpp.uninsane.org" = {
    useACMEHost = "uninsane.org";
  };
  services.nginx.virtualHosts."nixcache.uninsane.org" = {
    addSSL = true;
    enableACME = true;
    inherit kTLS;
    # serverAliases = [ "nixcache" ];
    locations."/".extraConfig = ''
      proxy_pass http://localhost:${toString config.services.nix-serve.port};
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    '';
  };
  # serve any site not listed above, if it's static.
  # because we define it dynamically, SSL isn't trivial. support only http
--- a/hosts/servo/services/nixserve.nix
+++ b/hosts/servo/services/nixserve.nix
@@ -0,0 +1,18 @@
 { config, ... }:
 {
  services.nginx.virtualHosts."nixcache.uninsane.org" = {
    addSSL = true;
    enableACME = true;
    # inherit kTLS;
    # serverAliases = [ "nixcache" ];
    locations."/".extraConfig = ''
      proxy_pass http://localhost:${toString config.services.nix-serve.port};
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    '';
  };
  sane.services.nixserve.enable = true;
  sane.services.nixserve.sopsFile = ../../../secrets/servo.yaml;
 }
--- a/hosts/servo/services/pleroma.nix
+++ b/hosts/servo/services/pleroma.nix
@@ -137,6 +137,48 @@
  #   CapabilityBoundingSet = lib.mkForce "~";
  # };
  # Pleroma server and web interface
  # TODO: enable publog?
  services.nginx.virtualHosts."fed.uninsane.org" = {
    forceSSL = true;  # pleroma redirects to https anyway
    enableACME = true;
    # inherit kTLS;
    locations."/" = {
      proxyPass = "http://127.0.0.1:4000";
      # documented: https://git.pleroma.social/pleroma/pleroma/-/blob/develop/installation/pleroma.nginx
      extraConfig = ''
        # XXX colin: this block is in the nixos examples: i don't understand all of it
        add_header 'Access-Control-Allow-Origin' '*' always;
        add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always;
        add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always;
        add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always;
        if ($request_method = OPTIONS) {
            return 204;
        }
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header Referrer-Policy same-origin;
        add_header X-Download-Options noopen;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        # proxy_set_header Host $http_host;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # colin: added this due to Pleroma complaining in its logs
        # proxy_set_header X-Real-IP $remote_addr;
        # proxy_set_header X-Forwarded-Proto $scheme;
        client_max_body_size 16m;
      '';
    };
  };
  sops.secrets.pleroma_secrets = {
    sopsFile = ../../../secrets/servo.yaml;
    owner = config.users.users.pleroma.name;
--- a/hosts/servo/services/postfix.nix
+++ b/hosts/servo/services/postfix.nix
@@ -34,6 +34,15 @@ in
    993  # IMAPS
  ];
  # exists only to manage certs for dovecot
  services.nginx.virtualHosts."imap.uninsane.org" = {
    enableACME = true;
  };
  # exists only to manage certs for Postfix
  services.nginx.virtualHosts."mx.uninsane.org" = {
    enableACME = true;
  };
  services.postfix.enable = true;
  services.postfix.hostname = "mx.uninsane.org";
  services.postfix.origin = "uninsane.org";
--- a/hosts/servo/services/transmission.nix
+++ b/hosts/servo/services/transmission.nix
@@ -62,5 +62,17 @@
      OnUnitActiveSec = "240min";
    };
  };
  # transmission web client
  services.nginx.virtualHosts."bt.uninsane.org" = {
    # basicAuth is literally cleartext user/pw, so FORCE this to happen over SSL
    forceSSL = true;
    enableACME = true;
    # inherit kTLS;
    locations."/" = {
      # proxyPass = "http://ovpns.uninsane.org:9091";
      proxyPass = "http://10.0.1.6:9091";
    };
  };
 }