redirect proxy

modules/system/homelab/pass.nix

@@ -2,11 +2,12 @@
   services.vaultwarden = {
     enable = true;
     config = {
-      DOMAIN = "pass.proxy.${homelab.domain}";
+      DOMAIN = "https://pass.proxy.${homelab.domain}";
-      SIGNUPS_ALLOWED = true;
-      ROCKET_ADDRESS = "127.0.0.1";
       ROCKET_PORT = 8060;
+      ROCKET_ADDRESS = "127.0.0.1";
       ROCKET_LOG = "critical";
+      DATA_FOLDER = "/mnt/data/vaultwarden";
+      SIGNUPS_ALLOWED = true;
     };
   };
 }

modules/system/homelab/proxy.nix

@@ -1,6 +1,6 @@
 { homelab, lib, ... }: let
   base = "proxy.${homelab.domain}";
-  proxy-mappings = {
+  hosts = {
     "dns"        = { dest = "http://localhost:8088"; auth = true; };
     "ai"         = { dest = "http://localhost:8080"; auth = true; };
     
@@ -21,6 +21,10 @@
     "cdn"        = { dest = "http://localhost:3000"; auth = false; };
     "@"          = { dest = "http://localhost:5070"; auth = false; };
   };
+  redirects = {
+    "www"  = "https://proxy.${homelab.domain}";
+    "dash" = "https://${homelab.domain}";
+  };
 in {
   users.users.nginx.extraGroups = [ "acme" ];
   security.acme = {
@@ -46,10 +50,13 @@ in {
         useACMEHost = base;
         locations."/".return = "404";
       };
-    } // lib.mapAttrs' (subdomain: cfg: lib.nameValuePair (if subdomain == "@" then base else "${subdomain}.${base}") {
+    } // lib.mapAttrs' (subdomain: cfg: lib.nameValuePair "${subdomain}.${base}" {
+      useACMEHost = base;
+      forceSSL = true;
+      locations."/".return = "301 https://${base}$request_uri";
+    }) redirects // lib.mapAttrs' (subdomain: cfg: lib.nameValuePair (if subdomain == "@" then base else "${subdomain}.${base}") {
       useACMEHost = base;
       forceSSL = true;
-      
       locations."/" = {
         proxyPass = cfg.dest;
         proxyWebsockets = true;
@@ -69,6 +76,6 @@ in {
           client_max_body_size 50000M;
         '';
       };
-    }) proxy-mappings;
+    }) hosts;
   };
 }